Issue certificates for BitLocker recovery agents

Home Blog Issue certificates for BitLocker recovery agents

4sysops - The online community for SysAdmins and DevOps

    , ,   0
BitLocker supports several mechanisms to unlock an encrypted drive. These include recovery agents, whose certificate can be used to add a BitLocker protector. A custom template is required to issue such a certificate.
Contents
  1. Creating a certificate template
  2. Issuing the template
  3. Issuing the certificate
  4. Exporting the certificate
Avatar
Latest posts by Wolfgang Sommergut (see all)

BitLocker data recovery agents are users who are capable of unlocking drives if the owner of the computer or removable drive has forgotten their password and does not have a key to access their data.

To set up a recovery agent, you need a certificate. With its public key, a protector is added to the drives. To unlock it, the agent user must import the certificate into the local store of the computer in question.

By default, a Windows CA does not contain a template for BitLocker data recovery. It is therefore necessary to create one based on the Key Recovery Agent template.

Creating a certificate template

The first step is to open the MMC and load the snap-in Certificate Templates. From the Key Recovery Agent context menu, select Duplicate Template.

Create a new template based on Key Recovery Agent

Create a new template based on Key Recovery Agent

In the subsequent dialog box, enter a descriptive name for the template under the General tab and change the validity period if necessary.

Assign a name for the new template and change the validity period if necessary

Assign a name for the new template and change the validity period if necessary

If you wish, you can select the Publish certificate in Active Directory option, because later on, the wizard for creating the recovery agent GPO will offer to read the certificate from there.

Then open the Extensions tab, click the Edit button, and in the next window, click Add. From the list that appears, select BitLocker Data Recovery Agent and BitLocker Drive Encryption.

Add application policies to BitLocker

Add application policies to BitLocker

Another customization is necessary under the Issuance Requirements tab. There, you disable the CA certificate manager approval option, which is selected by default.

Clear the selection of the CA certificate manager approval option

Clear the selection of the 'CA certificate manager approval' option

Finally, under Security, adjust the permissions as needed, depending on which users should be able to request a certificate based on this template.

Issuing the template

After saving the new template, you have to activate it. To do this, open the Certification Authority snap-in in the MMC and select New > Certificate Template to issue from the context menu of the Certificate Templates folder.

In the Certification Authority snap in execute the command to issue the template

In the 'Certification Authority' snap in execute the command to issue the template

In the list that appears, select the new template for BitLocker Recovery Agent and confirm it with OK.

Activate the certificate template for the BitLocker Recovery Agent

Activate the certificate template for the BitLocker Recovery Agent

Issuing the certificate

Now you can request a certificate based on this template. To do so, open certmgr.msc and select All Tasks > Request New Certificate from the context menu of Certificates – Current User > Personal.

Running the command to request a certificate

Running the command to request a certificate

You can simply confirm the first two dialog boxes. For the third, select the template that you created earlier. If you want, you can open Details > Properties and enter a meaningful display name. Click Enroll to complete the process.

Choose the template for the BitLocker Recovery Agent as the basis for the new certificate

Choose the template for the BitLocker Recovery Agent as the basis for the new certificate

Exporting the certificate

For the group policy to activate a recovery agent, you need to export the certificate without the private key. For this purpose, select the just issued certificate in certmgr.msc and start the command All Tasks > Export from its context menu.

Command to export certificates from the local store

Command to export certificates from the local store

After the Welcome page, you will get to the dialog box where the option No, do not export the private key is already enabled.

The private key will not be exported

The private key will not be exported

Leave it like this and also keep the preselected DER encoded-binary X.509 (.CER) format on the next page.

Select the file format for exporting the certificate

Select the file format for exporting the certificate

Finally, specify the path and name of the file where you want to save the certificate and complete the process.

To unlock a drive, a recovery agent needs the certificate, including the private key. For this purpose, repeat the procedure just described, but select the option to export the private key. For file format, only PKCS #12 (.PFX) is available in this case.

Subscribe to 4sysops newsletter!

Before creating the file, you have to set a password to protect the private key. It goes without saying that you should use a strong password here and store the certificate in a safe place afterwards.

Related Articles
0 Comments

Leave a reply

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2023

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account