My company uses certificates for encryption on client machines. End user can not access his files because his cert expired. I have a lot of failed cert requests for him with the message that it Cannot archive private key, the certification authority is not configured for key archival. Had user attempt to renew key through certificates mmc. Failed because it was expired. I have no idea how this all works, I just inherited it. How do I get around this message? If I go to the template used to create the cert and select reenroll all certificate holders, what will that do? Is there anything else I can do to get this guy a new cert? Will deleting the expired cert force it to create a new cert or will it just be worse?

First, you should be careful about deleting expired certificates that has been used for encryption purposes on your clients unless you have a properly configured recovery methods or restore possibilities. Second, renewal of expired certificates is not supported and you need to issue new certificates to be used instead of the the old/expired certificates. If certificate autoenrollment is enabled on your clients and on the specific certificate template, the client will automatically request a new certificate when no valid or expiring certificates are available on the client. Selecting the option to "Reenroll All Certificate Holders" will force all clients to "Renew" its certificate immediately regardless expiration time! You need to make sure that key archival is supported on your CA by checking the following: You need to have at least one valid key recovery agent certificate is issued and available on the system, can be checked using the command: certutil -viewstore kraKey archival is enabled on your CA, check CA properties, Recovery Agents tab Please read more about key archival and the steps needed to configure/verify key archival here: http://technet.microsoft.com/en-us/library/ee449464(v=ws.10) /Hasain

My problem is that someone else created the system and didn't document it well. And I'm a desktop guy who got thrown into it. How do I push a new cert to the user? I'll look at the rest when I get back to the office.

1. Shows 4 KRA, 2 of which are expired. 2. Shows the 2 unexpired KRA as not loaded.

If the KRA certificates are showing in the Recovery Agent tab as not loaded, you need to reload/restart the CA service to activate the agents. Whenever that agents are loaded, any request containing key recovery will be accepted by the CA. Regarding your other question, certificates can be deployed using autoenrollment, Autoenrollment is enabled in two steps: Enable autoenrollment for users and/or computers using group policies http://technet.microsoft.com/en-us/library/cc731522.aspxEnable autoenrollment on specific certificate template http://technet.microsoft.com/en-us/library/cc737874(v=ws.10).aspx Once autoenrollment is enabled all clients with enroll and autoenroll permission on a specific template will automatically request a certificate if no valid certificate exists on the client. /Hasain

If the KRA certificates are showing in the Recovery Agent tab as not loaded, you need to reload/restart the CA service to activate the agents. Whenever that agents are loaded, any request containing key recovery will be accepted by the CA. Regarding your other question, certificates can be deployed using autoenrollment, Autoenrollment is enabled in two steps: Enable autoenrollment for users and/or computers using group policies http://technet.microsoft.com/en-us/library/cc731522.aspxEnable autoenrollment on specific certificate template http://technet.microsoft.com/en-us/library/cc737874(v=ws.10).aspx Once autoenrollment is enabled all clients with enroll and autoenroll permission on a specific template will automatically request a certificate if no valid certificate exists on the client. /Hasain

New keys didn't solve the problem. Still not getting into the encrypted files. Access denied trying to decrypt with user and DRA. Old key associated with files is not in the certificate authority so I can't grab it and try to use it. Cipher /u did nothing, access denied on certain files. Pretty much at the end of my ability to figure this out...