Active Directory Certificate Services (AD CS) requires key recovery agent certificates, exchange (XCHG) certificates, and keys in order to support key archival. The functioning of key recovery agent certificates, XCHG certificates, and the cryptographic service providers (CSPs) needed to create them is critical to a public key infrastructure.
Identify and use a valid key recovery agent certificate
To resolve this issue, you need to identify why the key recovery agent certificate that is being used is unsuccessful. Generally a key recovery agent certificate becomes unusable when it has expired or was revoked.
To perform this procedure, you must have Manage CA permission, or you must have been delegated the appropriate authority.
To examine the validity of the key recovery agent certificate:
On the computer hosting the CA, click Start, point to Administrative Tools, and click Certification Authority.
Right-click the certification authority (CA) name, and click Properties.
Click the Recovery Agents tab, and check whether the key recovery agent certificate whose index is listed in the event log has Expired or is Invalid. To check its validity, confirm its validity dates and that it contains the extended key usage (EKU) extension indicating that this certificate can be used for key recovery.
If a certificate has expired or is not valid, remove the invalid key recovery agent certificate and assign a new one. You may need to issue a new key recovery agent certificate before it can be registered with the CA.
For more information, see http://go.microsoft.com/fwlink/?LinkID=95698.