Key recovery agents collectively authorize and retrieve private encryption keys and associated certificates in a PKCS #12 package. To authorize key recovery, the required number of recovery agents access the KRA agent services page and use the Authorize Recovery area to enter each authorization separately.
One of the agents initiates the key recovery process. For a synchronous recovery, each approving agent uses the reference number (which was returned with the initial request) to open the request and then authorizes key recovery separately. For an asynchronous recovery, the approving agents all search for the key recovery request and then authorize the key recovery. Either way, when all of the authorizations are entered, the KRA checks the information. If the information presented is correct, it retrieves the requested key and returns it along with the corresponding certificate in the form of a PKCS #12 package to the agent who initiated the key recovery process.
The key recovery agent scheme configures the KRA to recognize to which group the key recovery agents belong and specifies how many of these agents are required to authorize a key recovery request before the archived key is restored.
3.5.1. Configuring Agent-Approved Key Recovery in the Console
While the number of key recovery agents can be configured in the Console, the group to use can only be set directly in the
CS.cfg file. The Console uses the
Key Recovery Authority Agents Group by default.
Open the KRA's console. For example:
Click the Key Recovery Authority link in the left navigation tree.
Enter the number of agents to use to approve key recover in the Required Number of Agents field.
3.5.2. Configuring Agent-Approved Key Recovery in the Command Line
To set up agent-initiated key recovery, edit two parameters in the KRA configuration:
These parameters are set in the KRA's
CS.cfg configuration file.
Stop the server before editing the configuration file.
systemctl stop email@example.com
Open the KRA's
Edit the two recovery scheme parameters.
kra.recoveryAgentGroup=Key Recovery Authority Agents
Restart the server.
systemctl start firstname.lastname@example.org
3.5.3. Customizing the Key Recovery Form
The default key agent scheme requires a single agent from the Key Recovery Authority Agents group to be in charge of authorizing key recovery.
It is also possible to customize the appearance of the key recovery form. Key recovery agents need an appropriate page to initiate the key recovery process. By default, the KRA's agent services page includes the appropriate HTML form to allow key recovery agents to initiate key recovery, authorize key recovery requests, and retrieve the encryption keys. This form is located in the
/var/lib/pki/pki-tomcat/kra/webapps/kra/agent/kra/ directory, called
If the key recovery confirmation form is customized, do not to delete any of the information for generating the response. This is vital to the functioning of the form. Restrict any changes to the content in and appearance of the form.