Active Directory Certificate Services (AD CS) requires key recovery agent certificates, exchange (XCHG) certificates, and keys in order to support key archival. The functioning of key recovery agent certificates, XCHG certificates, and the cryptographic service providers (CSPs) needed to create them is critical to a public key infrastructure.
Configure the correct number of key recovery agent certificates
Ensure that the correct number of valid key recovery agent certificates are available to the certification authority (CA). The number of key recovery agent certificates that are needed is set on the Recovery Agents tab in the Certification Authority snap-in.
To perform this procedure, you must have Manage CA permission, or you must have been delegated the appropriate authority.
To identify specific problems with key recovery agent certificates:
On the computer hosting the CA, click Start, point to Administrative Tools, and click Certification Authority.
Right-click the CA name, and click Properties.
Click the Recovery Agents tab.
Check the status column for the key recovery agent certificates. If one or more certificates is identified as Expired or Invalid, remove the expired or invalid key recovery agent certificates and enroll and assign new certificates.
If you do not find any problems with any of these certificates, export each certificate to a .cer file, open a command prompt window, and run the following command against each file to check validity and revocation status: certutil -verify and press ENTER.
As an alternative, if you have fewer valid key recovery agent certificates than are specified, you can also go to the Recovery Agents tab and reduce the number of key recovery agents that are needed.
For more information, see http://go.microsoft.com/fwlink/?LinkID=95698.