Hotfix information
A supported feature that modifies the default behavior of the product is available from Microsoft. However, this feature is intended to modify only the behavior that this article describes. Apply this feature only to systems that specifically require it. This feature might receive additional testing. Therefore, if the system is not severely affected by the lack of this feature, we recommend that you wait for the next software update that contains this feature.
If the feature is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, contact Microsoft Customer Service and Support to obtain the feature.
Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific feature. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft Web site:
Note The "Hotfix download available" form displays the languages for which the feature is available. If you do not see your language, it is because the feature is not available for that language.
Prerequisites
No prerequisites are required.
Restart requirement
You do not have to restart your computer after you apply this hotfix.
Hotfix replacement information
This hotfix does not replace any other hotfixes.
File information
The English version of this hotfix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the
Time Zone tab in the Date and Time tool in Control Panel.
Date Time Version Size File name
------------------------------------------------------
15-Oct-2003 23:13 5.2.3790.92 100,864 Certpdef.dll
15-Oct-2003 23:13 5.2.3790.92 294,912 Certsrv.exe
15-Oct-2003 23:13 5.2.3790.92 568,832 Certutil.exe
Feature description
The new Certutil.exe file is required if you want to use a symbolic command-line flag to enable and to disable the feature. If you manually edit the registry or if Certutil.exe is used with a numeric constant instead of with the symbolic constant, the new Certutil.exe file is not required.
To enable this feature, type the following at a command prompt, and then restart the Certsvc service:
certutil �setreg ca\InterfaceFlags +IF_ENABLEEXITKEYRETRIEVAL
To disable this feature, type the following at a command prompt, and then restart the Certsvc service:
certutil �setreg ca\InterfaceFlags -IF_ENABLEEXITKEYRETRIEVAL
To use an earlier version of Certutil.exe, replace "IF_ENABLEEXITKEYRETRIEVAL" in either command with "0x800".
Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.
To directly modify the registry, modify the InterfaceFlags REG_DWORD registry entry at the following location:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\YourSanitizedCAName
To enable the feature, bit-wise OR the existing value with 0x800. To disable the feature, bit-wise AND the existing value with ~0x800 (0xfffff7ff).
Do not modify any other bits in this registry value unless you understand the effect. For the changes to take effect, you must restart the Certsvc service.
The intent of this modification is to allow a custom exit module to fetch the encrypted archived key binary large object from the CA when the exit module is notified of an issued certificate. This is for potential use in later key recovery.
The following describes the behavior in the version of Certsrv.exe that is included with the release version of Windows Server 2003:
- The RawArchivedKey property returns a 1-byte binary large object that is initialized to 0 if the raw encrypted PKCS7 exists in the CA�s database. If it does not exist, the property returns CERTSRV_E_PROPERTY_EMPTY.
- The ArchivedKey property always returns CERTSRV_E_PROPERTY_EMPTY (unknown property).
When this feature is disabled in the new version of Certsrv.exe:
- The RawArchivedKey property returns a 1-byte binary large object that is initialized to 0 if the raw encrypted PKCS7 exists in the CA�s database. If it does not exist, the property returns CERTSRV_E_PROPERTY_EMPTY.
- The new ArchivedKey property returns a 1-byte binary large object that is initialized to 0 if the raw encrypted PKCS7 exists in the CA's database. If it does not exist, the property returns CERTSRV_E_PROPERTY_EMPTY.
When this feature is enabled in the new version of Certsrv.exe:
- The existing RawArchivedKey property returns the raw encrypted PKCS7 data from the database column if the raw encrypted PKCS7 exists in the CA's database. If it does not exist, the property returns CERTSRV_E_PROPERTY_EMPTY.
- The new ArchivedKey property returns the nested PKCS7, suitable for certutil �recoverkey, if the raw encrypted PKCS7 exists in the CA�s database. If it does not exist, the property returns CERTSRV_E_PROPERTY_EMPTY.
If role separation is enabled, this feature is effectively disabled.
The raw encrypted PKCS7 is stored in the CA database. It is constructed during request processing by the equivalent of:
- Exporting a PRIVATEKEYBLOB from CryptExportKey.
- Calling CryptEncryptMessage to encrypt the PRIVATEKEYBLOB to one or more KRA certificates� public keys.
The nested PKCS7 is constructed on demand from the raw encrypted PKCS7. CryptMsgOpenToEncode, CryptMsgUpdate and CryptMsgGetParam(hMsg, CMSG_CONTENT_PARAM, �) are used to create a signed PKCS7, using the raw encrypted PKCS7 as the data content.
The CA cert chain, the recipient KRA certificates, and the subject user certificate and chain are all added to the certificates in the outer signed PKCS7.
The signed PKCS7 is signed by the current CA signing certificate.
An authenticated attribute with OID szOID_ARCHIVED_KEY_CERT_HASH is added to the signature that contains the SHA-1 hash of the subject user certificate. This easily identifies the certificate that is associated with the private key.