KRA Certificate Expired! Now what?

---

Hello Ronnie,

I am like this cannot be happening. Anyways, I took over certs from a previous admin and guess what, I see the KRA cert has expired. Now if I renew the cert then it is not possible to recover anything that has been encrypted with the previous cert, so what are my options? Any ideas?

Regards,
Satish.

@satish-shekhar,

I've been away for about a week now... right off the top of my head, I would say you're going to have to manually removed the expired certificate. Of course this means you'll have to decrypt all files encrypted with it first...then remove it...then you can issues a new certificate and re-encrypt it. But this may be depended on your Server version.

If there's a automatic way to do it, I would suggest that. That I believe would be the ideal way is through the automatic may to do it. I'll check with the Microsoft Kung-Fu Masters when they arrive this morning!

@satish-shekhar ,

Is it the KRA certificate that has expired or the DRA certificate?

The Key Recovery Agent certificate is used to encrypt the private keys of issued certificates for key archival. It is not used for recovery of encrypted files, that is the purpose of the Data Recovery Agent.

If the KRA certificate has expired, you will need to issue a new KRA certificate. This certificate will be used to archive all future archived private keys. You will want to keep the expired KRA certificate, as it will be required to recover any keys archived before the new KRA certificate is issued. Even though the certificate has expired, it can still be used to decrypt archived keys.

If the DRA certificate has expired, you will need to issue a new DRA certificate. Then you will update group policy to reference the new and remove the old DRA from the policy. As users access their encrypted files, the DRA will be updated. You will want to export and keep the old DRA certificate, in case it is needed in the future.

When a certificate expires, it can no longer be used to sign anything. This is why the renewal process fails for an expired certificate, because you cannot sign the renewal request with an expired certificate. Expired certificates can still be used to decrypt however, as you are not signing anything.

Hope this helps, let me know if you need more information or clarification on this process.

Thanks for watching!

Thanks Mike.

It is the KRA cert that has expired and users are getting error because the KRA has expired. I did not know that the expired KRA can still be used to recover any previously encrypted private keys.

Can you direct me to any resource that would help if in case any private key/keys are lost and will need to be recovered with the old key?

Just for the benefit of everyone, I am going to detail what I ended up doing.

1. Per Mike I ended up saving the expired certificate. But remember the cert was KRA agent that was a person who moved to another dept.
2. I had to take over his AD admin account and gave him a copy of the account-- a different account.
3. Logged in with his creds, and installed the cert, and this time it came with the private key.
4. Tried to recover an archived key and bingo! it worked this time. It did not work when I actually installed the cert and logged in with my account; even if it is in my personal vault, it would not work.

So, even if the KRA cert has expired, you can recover archived keys, but you better keep that pfx file in a safe deposit.

Thanks Mike and Ronie.