Users imported from another Key Management server need new
keys. When Advanced Security users are exported from their original
Key Management server, their certificates are revoked. Once they
have been migrated to a new Key Management server, they can
continue to use their old keys to read old encrypted e-mail, but
those old keys are now bound to a certificate published to your
organization's CRL. Therefore, new certificates and
corresponding keys are necessary for users to create new encrypted
messages. Key recovery is the final step of the export and import process, because
imported users must have their keys recovered.
Users can lose their existing keys, by forgetting their
password, for example, or if the client computer experiences a
hardware failure. Recovery prevents the user from losing their
encrypted e-mail, and can recover potentially important
information.
In key recovery, as in the enrollment process, the user is
issued a token. The recovery token is issued the same way you
choose to issue enrollment
tokens, either through an administrator or by e-mail. After
entering this recovery token in Outlook, a new signature
key pair is created for the user. In addition,
KMS returns all of the user's old keys. For imported users, a new
encryption key pair is generated.
On the Start menu, point to
Programs, point to Microsoft Exchange, and then click
System Manager.
In the console tree, click Advanced Security.
In the details pane, right-click Key Manager, point to
All Tasks, and then click Recover Keys.
In the Key Management Service Login dialog box, type
your password, and then click OK. The default password is
password.
Note You will have to re-type
your password each time you try to perform a task or click a tab in
the Key Manager Properties dialog box.
To recover keys, in Recover Users Selection, you can
perform one of the following tasks:
To recover one or more individuals' keys, choose Display an
alphabetic list of user names from the global address book (the
default), and then click OK. Your organization's address
book will appear in Recover Users. Select one or more users,
and then click Add to add them to the Selected users
column. Click Recover and KMS will generate temporary keys
for those users, which they can then use to get new keys through
Outlook.
To recover keys for a group of users, choose Display mailbox
stores, Exchange servers, and administrative groups of eligible
users, and then click OK. Your organization's
administrative groups will be displayed in Recover Users.
Click to expand the appropriate administrative group, and continue
expanding as necessary until you can select the desired node for
recovery. All users in the node you select, and all of its
sub-nodes, will receive temporary keys when you click
Recover.
When the process is finished, you will get a confirmation window
telling you that all selected users were successfully
recovered.