I'm new in this topic and maybe you could help me. I've got PKI based on W2K8 root CA (standalone) and W2K8 subCA (enterprise, issueCA). Can I use Key Management Service with it? Can KMS be useful for me or rather no? What additional functions, which are not in W2K8 CA, are in KMS? Could you write a few sentences about KMS and W2K8 because I cannot find general idea of it? Best regards, nstn

The question above is wrong. KMS is for activation purposes only. I'm looking for something for automatic key histories? Is something like this available in W2K3/W2K8 CA? How can user manage his old keys? or maybe a CA admin can?

I assume you mean Exchange Key Management Server (KMS). This product was deprecated years ago. This document shows you how to migrate from archived keys from KMS to a Windows Server 2003 CA. The same steps apply for WS08. http://technet.microsoft.com/en-us/library/cc759249(WS.10).aspx Hope this helps.Jonathan Stephens

I'm looking for something for automatic key histories? Is something like this available in W2K3/W2K8 CA? How can user manage his old keys? or maybe a CA admin can? Can you be a little bit more specific here? What exactly do you mean by having a user or a CA manager "manage his old keys"? Paul Adare CTO IdentIT Inc. ILM MVP

When certificate is not valid, when private and public key is not valid, user has new key and certificate. But there could be for example a need for decoding old document. So old, even not valid key will be needed. I'm talking about key histories and managing it. I don't know how to say it in more specific way. Keys can be in database, right? But is there a mechanism for managing old certificates and keys (history key management).

Encryption certificates do not just disappear when they are no longer time valid. By default, they are archived which means they are still available, either in the user's profile, or on a smart card. In the case of expired certificates there is no management that needs to be done by the user. Private keys can be escrowed in the CA database if the template is configured for private key archival. However, access to that archived key is only required in the event that a user loses access to the private key, and not in the case where a certificate is no longer time valid. Restoring an archived private key requires that a CA Manager extract an encrypted blob from the database and then someone with access to a key recovery agent certificate extracts the private key and certificate from the blob and transmits that to the user. This is not an operation a user can perform for themselves, unless you use something like CLM or FIM2010 CM, in which case you could configure self-service for key recovery.Paul Adare CTO IdentIT Inc. ILM MVP