Microsoft PKI Key Recovery Utility
-
Hello again, I was asked by my company to credential everyone in the organization with s/MIME certificates. One of the requirements (obviously) was that we needed to be able to recover encryption keys in a timely fashion for a) Users who have lost their key and b) The legal department for eDiscovery purposes. We are using a 2008 R2 CA. Microsoft used to provide a free utility that simplified key recovery (KRTool.exe) but it had been depreciated after WS2003. Microsoft Forefront Identity Manager (formerly ILM & formerly formerly idNexus) could have fulfilled the requirement, but it is also quite costly (there is a license charge per-seat that gets up there if you're a large organization). In order to fulfill the requirement, I created the app that's linked below. Through a GUI, the user is enabled to recover keys for a single user or for a list of users (for eDiscovery purposes). The person who does the recovery has access to the resultant PFX files, but the password that protects those files is Emailed directly to the user or eDiscovery rep. There are still a few caveats with the tool that I would like to eventually iron out: - The user must have both CA Manager permissions on the CA and the Key Recovery Agent private key in their CAPI store (I can probably solve this eventually via impersonation, but how to hide the service account password? - The tool currently requires that both certutil.exe and certadm.dll be on the machine & in a PATH directory. I plan to look into whether I can re-design the tool to use an API rather than running shell commands. Additionally, I would eventually like to create a secure web-based self-service portal. I will need to learn ASP programming before I'll be ready for that :laugh: Source: http://tinyurl.com/3syshzs Binaries: http://tinyurl.com/4y9usns
-
Hello again, I was asked by my company to credential everyone in the organization with s/MIME certificates. One of the requirements (obviously) was that we needed to be able to recover encryption keys in a timely fashion for a) Users who have lost their key and b) The legal department for eDiscovery purposes. We are using a 2008 R2 CA. Microsoft used to provide a free utility that simplified key recovery (KRTool.exe) but it had been depreciated after WS2003. Microsoft Forefront Identity Manager (formerly ILM & formerly formerly idNexus) could have fulfilled the requirement, but it is also quite costly (there is a license charge per-seat that gets up there if you're a large organization). In order to fulfill the requirement, I created the app that's linked below. Through a GUI, the user is enabled to recover keys for a single user or for a list of users (for eDiscovery purposes). The person who does the recovery has access to the resultant PFX files, but the password that protects those files is Emailed directly to the user or eDiscovery rep. There are still a few caveats with the tool that I would like to eventually iron out: - The user must have both CA Manager permissions on the CA and the Key Recovery Agent private key in their CAPI store (I can probably solve this eventually via impersonation, but how to hide the service account password? - The tool currently requires that both certutil.exe and certadm.dll be on the machine & in a PATH directory. I plan to look into whether I can re-design the tool to use an API rather than running shell commands. Additionally, I would eventually like to create a secure web-based self-service portal. I will need to learn ASP programming before I'll be ready for that :laugh: Source: http://tinyurl.com/3syshzs Binaries: http://tinyurl.com/4y9usns
If you want to share this tool, you might want to follow Dave's advice on your other post, about writing an article about it. That way, you don't just share the tool and code, but you get to share some programming knowledge as well. Also, try to avoid shortened URLS. Personally, for me, I would not want to open a URL which I have no idea about. If you have a programming question, you might want to post it one of the Programming forums, or Design and Architecture forum, if its a design question.
Signature construction in progress. Sorry for the inconvenience.