4.2. Testing the Key Archival and Recovery Setup


Newer browsers do not support key archival from the browser; for Step 1, one should substitute CRMF generation clients for those browsers.
To test whether a key can be successfully archived:
  1. Enroll for dual certificates using the CA's Manual User Signing & Encryption Certificates Enrollment form.
  2. Submit the request. Log in to the agent services page, and approve the request.
  3. Log into the end-entities page, and check to see if the certificates have been issued. In the list of certificates, there should be two new certificates with consecutive serial numbers.
  4. Import the certificates into the web browser.
  5. Confirm that the key has been archived. In the KRA's agent services page, select Show completed requests. If the key has been archived successfully, there will be information about that key. If the key is not shown, check the logs, and correct the problem. If the key has been successfully archived, close the browser window.
  6. Verify the key. Send a signed and encrypted email. When the email is received, open it, and check the message to see if it is signed and encrypted. There should be a security icon at the top-right corner of the message window that indicates that the message is signed and encrypted.
  7. Delete the certificate. Check the encrypted email again; the mail client should not be able to decrypt the message.
  8. Test whether an archived key can be recovered successfully:
    1. Open the KRA's agent services page, and click the Recover Keys link. Search for the key by the key owner, serial number, or public key. If the key has been archived successfully, the key information will be shown.
    2. Click Recover.
    3. In the form that appears, enter the base-64 encoded certificate that corresponds to the private key to recover; use the CA to get this information. If the archived key was searched for by providing the base-64 encoded certificate, then the certificate does not have to be supplied here.
    4. Make sure that the Async Recovery checkbox is selected to allow the browser session to be closed while recovery is ongoing.


      An async recovery is the default and recommended way to perform a key recovery. If you want to perform a synchronous key recovery, the browser window cannot be shut and the KRA cannot be stopped during the recovery process.
    5. Depending on the agent scheme, a specified number of agents must authorize this key recovery. Have the agents search for the key to recover and then to approve the initiated recovery.
    6. Once all the agents have authorized the recovery, the next screen requests a password to encrypt the PKCS #12 file with the certificate.
    7. The next screen returns a link to download a PKCS #12 blob containing the recovered key pair. Follow the link, and save the blob to file.


      Opening the PKCS #12 file directly from the browser in the gcr-viewer utility can fail in certain situations. To work around the problem, download the file and manually open it in gcr-viewer.
  9. Restore the key to the browser's database. Import the .p12 file into the browser and mail client.
  10. Open the test email. The message should be shown again.