Hi all, We have an Windows 2008 Server Enterprise CA and we want to save certificates private key into CA. Checking Microsoft articles we found that is possible enable "key archival". The question is: What kind of certificate template purpose I should be use for private key auto archival ?? signature, encription or "signature and encription" ?? In the Windows 2003 documentation say that certificate purpose must be "Signature and encription"... but in windows 2008 documentation say that no works for "Secure/Multipurpose Internet Mail Extensions (S/MIME) certificates used by Microsoft® Office Outlook" Windows 2003 doc : http://technet.microsoft.com/en-us/library/cc738977(WS.10).aspx Windows 2008 doc: http://technet.microsoft.com/en-us/library/ee449471(WS.10).aspx Thanks for comments. Johan M. R.

On Tue, 14 Sep 2010 23:04:49 +0000, Johan M. R. _ wrote: We have an Windows 2008 Server Enterprise CA and we want to save certificates private key into CA. Checking Microsoft articles we found that is possible enable "key archival". The question is: What kind of certificate template purpose I should be use for private key auto archival ?? signature, encription or "signature and encription" ?? In the Windows 2003 documentation say that certificate purpose must be "*Signature and encription*"... but in windows 2008 documentation say that no works for*"Secure/Multipurpose Internet Mail Extensions (S/MIME) certificates used by Microsoft? Office Outlook*" Windows 2003 doc : http://technet.microsoft.com/en-us/library/cc738977(WS.10).aspx Windows 2008 doc: http://technet.microsoft.com/en-us/library/ee449471(WS.10).aspx You're misreading both of those articles. The only purposes that when selected prevent the private key from being archived are: Signature Signature and Smart Card Logon. If the purpose is Encryption or Signature and Encryption the private key can be archived. To answer your question about which purpose to use, we'd need to know what exactly you're going to use the certificate for. When dealing with email certificates (S/MIME certs) for example, if you need to assert non-repudiation then you'd need to issue 2 certs, one for signing, and one for encryption as you can't assert non-repudiation if someone other than the subscriber has access to the private key which would potentially be the case if you issued a single S/MIME cert that allowed for both encryption and signature and then archived the private key. Paul Adare MVP - Identity Lifecycle Manager http://www.identit.ca

We want to use certificates to "Encrypt and signature" e-mail messages, and our template had "encription and signature" purpose. Then, we can still use features like "key archival" to save private key into SubCA ? Regards, Johan Montano R.

On Wed, 15 Sep 2010 14:00:47 +0000, Johan M. R. _ wrote: We want to use certificates to "Encrypt and signature" e-mail messages, and our template had? "encription and signature" purpose. Then, we can still use features like "key archival" to save private key into SubCA ? Yes. Paul Adare MVP - Identity Lifecycle Manager http://www.identit.ca

Thanks a lot, My last question is, it apply to "Windows Server 2008 Ent" and "Windows Server 2008 Ent R2" CAs too? Regards, Johan M. R.

On Wed, 15 Sep 2010 15:19:09 +0000, Johan M. R. _ wrote: My last question is, it apply to "Windows Server 2008 Ent" and "Windows Server 2008 Ent R2" CAs too? Yes Paul Adare MVP - Identity Lifecycle Manager http://www.identit.ca