Requirements for Key Archival
The following conditions must be met to enable key archival at a Windows Server 2003 or Windows Server 2008 CA:
One or more users must acquire a certificate with the Key Recovery Agent application policy or the Enhanced Key Usage (EKU) object identifier (OID). This certificate allows the private key holder to decrypt private key material stored in the CA database. By default, the Key Recovery Agent certificate template requires certificate manager approval for issuance to ensure that only authorized personnel receive the Key Recovery Agent certificate.
The CA must be configured and enabled for key archival. In the CA’s properties, you must designate one or more Key Recovery Agent certificates that the CA must use to ...