Microsoft KB Archive/829194

= A software update is available that allows you to access the archived user keys in an exit module in a Windows Server 2003 CA =

Article ID: 829194

Article Last Modified on 2/21/2007

-

APPLIES TO


 * Microsoft Windows Server 2003, Web Edition
 * Microsoft Windows Server 2003, Standard Edition (32-bit x86)
 * Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
 * Microsoft Windows Server 2003, Enterprise x64 Edition

-





Important This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows Registry



SUMMARY
''You cannot retrieve the archived user keys in an exit module in a Microsoft Windows Server 2003 certification authority (CA). This behavior is by design. This article describes a software update that is available from Microsoft that you can use to change this behavior so that you can access the archived user keys in an exit module.''



Hotfix information
A supported feature that modifies the product's default behavior is now available from Microsoft, but it is only intended to modify the behavior that this article describes. Apply it only to systems that specifically require it. This feature may receive additional testing. Therefore, if the system is not severely affected by the lack of this feature, we recommend that you wait for the next Microsoft Windows Server 2003 service pack that contains this feature.

To obtain this feature immediately, contact Microsoft Product Support Services. For a complete list of Microsoft Product Support Services telephone numbers and information about support costs, visit the following Microsoft Web site:

http://support.microsoft.com/contactus/?ws=support

Prerequisites
No prerequisites are required.

Restart requirement
You do not have to restart your computer after you apply this hotfix.

Hotfix replacement information
This hotfix does not replace any other hotfixes.

File information
The English version of this hotfix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.   Date         Time   Version      Size     File name --  15-Oct-2003  23:13  5.2.3790.92  100,864  Certpdef.dll 15-Oct-2003 23:13  5.2.3790.92  294,912  Certsrv.exe 15-Oct-2003 23:13  5.2.3790.92  568,832  Certutil.exe

Feature description
The new Certutil.exe file is required if you want to use a symbolic command-line flag to enable and to disable the feature. If you manually edit the registry or if Certutil.exe is used with a numeric constant instead of with the symbolic constant, the new Certutil.exe file is not required.

To enable this feature, type the following at a command prompt, and then restart the Certsvc service:

certutil –setreg ca\InterfaceFlags +IF_ENABLEEXITKEYRETRIEVAL

To disable this feature, type the following at a command prompt, and then restart the Certsvc service:

certutil –setreg ca\InterfaceFlags -IF_ENABLEEXITKEYRETRIEVAL

To use an earlier version of Certutil.exe, replace &quot;IF_ENABLEEXITKEYRETRIEVAL&quot; in either command with &quot;0x800&quot;.

Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

To directly modify the registry, modify the InterfaceFlags REG_DWORD registry entry at the following location:

To enable the feature, bit-wise OR the existing value with 0x800. To disable the feature, bit-wise AND the existing value with ~0x800 (0xfffff7ff).

Do not modify any other bits in this registry value unless you understand the effect. For the changes to take effect, you must restart the Certsvc service.

The intent of this modification is to allow a custom exit module to fetch the encrypted archived key binary large object from the CA when the exit module is notified of an issued certificate. This is for potential use in later key recovery.

The following describes the behavior in the version of Certsrv.exe that is included with the release version of Windows Server 2003:
 * The RawArchivedKey property returns a 1-byte binary large object that is initialized to 0 if the raw encrypted PKCS7 exists in the CA’s database. If it does not exist, the property returns CERTSRV_E_PROPERTY_EMPTY.
 * The ArchivedKey property always returns CERTSRV_E_PROPERTY_EMPTY (unknown property).

When this feature is disabled in the new version of Certsrv.exe:
 * The RawArchivedKey property returns a 1-byte binary large object that is initialized to 0 if the raw encrypted PKCS7 exists in the CA’s database. If it does not exist, the property returns CERTSRV_E_PROPERTY_EMPTY.
 * The new ArchivedKey property returns a 1-byte binary large object that is initialized to 0 if the raw encrypted PKCS7 exists in the CA's database. If it does not exist, the property returns CERTSRV_E_PROPERTY_EMPTY.

When this feature is enabled in the new version of Certsrv.exe:
 * The existing RawArchivedKey property returns the raw encrypted PKCS7 data from the database column if the raw encrypted PKCS7 exists in the CA's database. If it does not exist, the property returns CERTSRV_E_PROPERTY_EMPTY.
 * The new ArchivedKey property returns the nested PKCS7, suitable for certutil –recoverkey, if the raw encrypted PKCS7 exists in the CA’s database. If it does not exist, the property returns CERTSRV_E_PROPERTY_EMPTY.

If role separation is enabled, this feature is effectively disabled.

The raw encrypted PKCS7 is stored in the CA database. It is constructed during request processing by the equivalent of:
 * 1) Exporting a PRIVATEKEYBLOB from CryptExportKey.
 * 2) Calling CryptEncryptMessage to encrypt the PRIVATEKEYBLOB to one or more KRA certificates’ public keys.

The nested PKCS7 is constructed on demand from the raw encrypted PKCS7. CryptMsgOpenToEncode, CryptMsgUpdate and CryptMsgGetParam(hMsg, CMSG_CONTENT_PARAM, …) are used to create a signed PKCS7, using the raw encrypted PKCS7 as the data content.

The CA cert chain, the recipient KRA certificates, and the subject user certificate and chain are all added to the certificates in the outer signed PKCS7.

The signed PKCS7 is signed by the current CA signing certificate.

An authenticated attribute with OID szOID_ARCHIVED_KEY_CERT_HASH is added to the signature that contains the SHA-1 hash of the subject user certificate. This easily identifies the certificate that is associated with the private key.

Keywords: kbhotfixserver kbqfe kbbug kbfix kbqfe kbwinserv2003presp1fix KB829194

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.