3.5. Setting up Agent-Approved Key Recovery Schemes

Key recovery agents collectively authorize and retrieve private encryption keys and associated certificates in a PKCS #12 package. To authorize key recovery, the required number of recovery agents access the KRA agent services page and use the Authorize Recovery area to enter each authorization separately.
One of the agents initiates the key recovery process. For a synchronous recovery[1], each approving agent uses the reference number (which was returned with the initial request) to open the request and then authorizes key recovery separately. For an asynchronous recovery, the approving agents all search for the key recovery request and then authorize the key recovery. Either way, when all of the authorizations are entered, the KRA checks the information. If the information presented is correct, it retrieves the requested key and returns it along with the corresponding certificate in the form of a PKCS #12 package to the agent who initiated the key recovery process.
The key recovery agent scheme configures the KRA to recognize to which group the key recovery agents belong and specifies how many of these agents are required to authorize a key recovery request before the archived key is restored.

3.5.1. Configuring Agent-Approved Key Recovery in the Console


While the number of key recovery agents can be configured in the Console, the group to use can only be set directly in the CS.cfg file. The Console uses the Key Recovery Authority Agents Group by default.
  1. Open the KRA's console. For example:
    pkiconsole https://server.example.com:8443/kra
  2. Click the Key Recovery Authority link in the left navigation tree.
  3. Enter the number of agents to use to approve key recover in the Required Number of Agents field.

3.5.2. Configuring Agent-Approved Key Recovery in the Command Line

To set up agent-initiated key recovery, edit two parameters in the KRA configuration:
  • Set the number of recovery managers to require to approve a recovery.
  • Set the group to which these users must belong.
These parameters are set in the KRA's CS.cfg configuration file.
  1. Stop the server before editing the configuration file.
    systemctl stop pki-tomcatd@pki-tomcat.service
  2. Open the KRA's CS.cfg file.
    vim /var/lib/pki-kra/conf/CS.cfg
  3. Edit the two recovery scheme parameters.
    kra.recoveryAgentGroup=Key Recovery Authority Agents
  4. Restart the server.
    systemctl start pki-tomcatd@pki-tomcat.service

3.5.3. Customizing the Key Recovery Form

The default key agent scheme requires a single agent from the Key Recovery Authority Agents group to be in charge of authorizing key recovery.
It is also possible to customize the appearance of the key recovery form. Key recovery agents need an appropriate page to initiate the key recovery process. By default, the KRA's agent services page includes the appropriate HTML form to allow key recovery agents to initiate key recovery, authorize key recovery requests, and retrieve the encryption keys. This form is located in the /var/lib/pki/pki-tomcat/kra/webapps/kra/agent/kra/ directory, called confirmRecover.html.


If the key recovery confirmation form is customized, do not to delete any of the information for generating the response. This is vital to the functioning of the form. Restrict any changes to the content in and appearance of the form.

[1] For synchronous key recovery, the initial browser page must stay open and it refreshes every few seconds until the key recovery is complete. If this page is closed, then the recovery request must be re-initiated.