Free Trial

Safari Books Online is a digital library providing on-demand subscription access to thousands of learning resources.

Share this Page URL

Chapter 18. Archiving Encryption Keys > The Key Recovery Process - Pg. 457

Chapter 18: Archiving Encryption Keys 457 Certutil ­setreg CA\EncryptionCSP\SymmetricKeySize 256 Once the settings are configured, you must then restart Certificate Services. If you enable AES, the key length can be set to 128, 192, or 256 bits. Also, key recovery operations must be performed only at a computer running Windows Vista or Windows Server 2008. Computers running Windows XP do not support AES algorithms by default AES support was added in Windows XP SP1. 9. The CA saves the encrypted key BLOB--which contains the encrypted private key and the symmetric key encrypted with one or more Key Recovery Agent certificate's public keys--to the CA database. 10. The CA processes the certificate request normally and responds to the client with a CMC, full PKI response containing the certificate issued to the requestor. The result of this process is that the client receives a certificate signed by the issuing CA, and the certificate and the associated private key are archived in the CA database. Because of the encryption, only a designated key recovery agent can decrypt the private key material stored in the CA database.