MyID can archive keys on the Entrust server or locally within MyID.

The available Archive Keys settings are:

• None – the key is generated on the device.

• Internal – the key is archived in MyID.

• EntrustRest – the key is archived in the Entrust server.

If the key_client_generated certificate profile property is set to false, the Archive Keys option is set to EntrustRest; you cannot change this. Otherwise, the Archive Keys option is set to None by default; in this case, you can change the setting to Internal if required.

Note: If you recover a revoked archive certificate, and the certificate is configured in the credential profile for Historic Only, a new archive certificate is created on the CA; this is expected Entrust behavior, and MyID correctly ignores this certificate and recovers the old revoked archive certificate. This does not happen if the certificate is live, or if the certificate is configured in the credential profile to Use existing.