Recovering from a lost encryption certificate private key
If you loose access to the encryption certificate's private key, any current and historical passwords encrypted with that key are not recoverable. This is why backups are so important.
In order to restore local admin password access to your environment, you need to publish a new key, and force the agents to generate a new password and encrypt it with that key.
Recovery steps
Step 1: Generate a new certificate
From the Access Manager Service configuration tool, visit the [[local admin passwords page]], select the forest you need to recover from the drop-down list, and click Generate new...
.
Step 2: Backup the new certificate
Once the certificate has been generated, click View certificate...
and on the Details
tab, select Copy to file...
to backup this key. Make sure you select the option to export the private key. Choose a strong password, and keep this file safe, preferably in an offline location.
Step 3: Publish the new certificate
Once you've secured you backup key, click Publish
to generate a new script to publish this certificate to AD. Run the script as a domain admin of the root forest.
Step 4: Force expire all computer passwords
In order to force clients to immediately generate a new password, we must set the lithnetPasswordExpiry
attribute on each computer to 0
.
You can use the following script to do this. Set the $ou
variable to the DN of the container where the computers are located, or leave it as-is to expire the password of all computers in the domain.
When the agent next runs (by default this is every 60 minutes) it will detect that it's password has been expired, and generate a new password, and encrypt it using the newly published certificate in the directory.
If you are using the password history feature, those previously used passwords can no longer be decrypted. You should delete them from the directory using the following script to avoid users being presented with Password could not be decrypted
warnings in the web UI.
Last updated