Certificate Services key archival is not supported on this version of Windows Server.
Active Directory Certificate Services (AD CS) requires key recovery agent certificates, exchange (XCHG) certificates, and keys in order to support key archival. The functioning of key recovery agent certificates, XCHG certificates, and the cryptographic service providers (CSPs) needed to create them is critical to a public key infrastructure.
Use a version of Windows Server 2016+ that supports AD CS key archival
Key archival is available only with certification authorities (CAs) that are installed on computers running the Windows Server 2016+ Enterprise operating system or the Windows Server 2016+ Datacenter operating system.
Confirm that the CA you are using is installed on a computer running Windows Server 2016+ Enterprise or Windows Server 2016+ Datacenter.
To identify the Windows edition:
Open an Explorer window, right-click Computer, and click Propertys.
In the section titled Windows edition, confirm that one of the versions that support key archival is listed.
To confirm that key archival and recovery is working properly:
On the computer hosting the CA, click Start, point to Administrative Tools, and click Certification Authority.
In the console tree, right-click the name of the certification authority (CA), and then click Properties.
Click the Recovery Agents tab.
Confirm that all key recovery agent certificates are listed as Valid.
In the Certificate Templates container, confirm that an encryption certificate has the option Archive subject's encryption private key configured on the Request Handling tab.
Open the Certificates snap-in for a user account that has permissions to enroll for a certificate based on this certificate template.
In the console tree, right-click Personal, point to All Tasks, and click Request New Certificate to start the Certificate Enrollment wizard.
Enroll for a certificate based on the encryption template, and confirm that the enrollment completes successfully and no errors are reported.
When the enrollment is complete, open the Certification Authority snap-in.
In the console tree, click Issued Certificates.
Locate the entry for the certificate that was just issued, and add the Archived Key column to the snap-in display list.
Confirm that the word Yes appears in the Archived Key column for the certificate that was just issued.
| Target | Microsoft.Windows.CertificateServices.CARole.2016 |
| Category | EventCollection |
| Enabled | True |
| Event_ID | 81 |
| Event Source | Microsoft-Windows-CertificationAuthority |
| Alert Generate | False |
| Remotable | True |
| Event Log | Application |
| ID | Module Type | TypeId | RunAs |
|---|---|---|---|
| DS | DataSource | Microsoft.Windows.EventProvider | Default |
| WriteToCertSvcEvents | WriteAction | Microsoft.Windows.CertificateServices.CARole.CertSvcEvents.Publisher | Default |
| WriteToDB | WriteAction | Microsoft.SystemCenter.CollectEvent | Default |
Home
ENU <Rule ID="Microsoft.Windows.CertificateServices.CARole.2016.CertSvcEvents.81" Enabled="true" Target="CSDisc!Microsoft.Windows.CertificateServices.CARole.2016" ConfirmDelivery="true" Remotable="true" Priority="Normal" DiscardLevel="100">
<Category>EventCollection</Category>
<DataSources>
<DataSource ID="DS" TypeID="Windows!Microsoft.Windows.EventProvider">
<ComputerName>$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</ComputerName>
<LogName>Application</LogName>
<Expression>
<And>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="UnsignedInteger">81</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="String">PublisherName</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="String">Microsoft-Windows-CertificationAuthority</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
</And>
</Expression>
</DataSource>
</DataSources>
<WriteActions>
<WriteAction ID="WriteToDB" TypeID="SC!Microsoft.SystemCenter.CollectEvent"/>
<WriteAction ID="WriteToCertSvcEvents" TypeID="Microsoft.Windows.CertificateServices.CARole.CertSvcEvents.Publisher"/>
</WriteActions>
</Rule>