Imagine we could finally create a request successfully. We sent it to the CA and then we tried to install its response (the .cer or the .p7b files that we got from the CA) with i.e. the code in How to create a certificate request with CertEnroll (ASP). But we got the following error:
CertEnroll::CX509Enrollment::p_InstallResponse: The key archival hash attribute was not found in the response. 0x80095002 (-2146873342)
We assume that the code we used to create the request works fine, because the CA accepts the request, it enrolls the certificate and give us the response, and we can see the key is archived in the CA. So the issue may have to do with the response of the CA that we try to install. What's going on then?
Well, the issue in my case was that I was getting the response with the Certificate Services web pages of my Microsoft CA, and those pages can only return as a response the issued raw certificate (.cer file) or a pkcs7 package including it (.p7b file). But neither of them contains the Full Response of the CA. This is required for key archival because the full response is a pkcs7 signed by the CA with CMC content. The CMC content contains an attribute that the client uses to verify the CA received the correct encrypted private key in the request (prevents man-in-the-middle key stealing attacks).
Summing up, .cer or .p7b files won't suffice for key archival enrollment.
So I used certreq.exe tool to send the request to my CA and get the full response from it:
certreq -submit -attrib "CertificateTemplate:ArchiveUser" keyarchival.req keyarchival.cer keyarchival.p7b keyarchival.rsp
Note: ArchiveUser is the certificate template where I enabled key archival on my CA.
Then I took keyarchival.rsp and passed it to my sample and it worked just fine. I could install the response successfully.
I hope this helps.
Alex (Alejandro Campos Magencio)