6.4 Recovering certificates

If you have archived your issued certificates, you can recover them to a card if you need to. For example, if the card is lost, you can recover the certificate onto a new card so that any encrypted data (for example, encrypted email) can continue to be accessed.

Note: You must be logged in with a card to recover certificates. You cannot recover certificates if you have logged in to MyID using security phrases.

Note: When you recover certificates to a PIV card, all retired certificate containers are overwritten. This affects any smart card with a PIV applet.

6.4.1 Recovering someone else's certificates

You can recover certificates to another user's card. You can also recover soft certificates to a PFX file.

To recover certificates to a card:

  1. From the Certificates category, click Recover Certificates.

    You can also launch this workflow from the Certificate Administration section of the More category in the MyID Operator Client. See the Using Certificate Administration workflows section in the MyID Operator Client guide for details.

  2. Use the Find Person screen to select the person whose certificate you want to recover.

  3. Select which certificates you want to recover:

    • Recover certificates by date – specify the issuance date after which any keys will be recovered.
    • Recover a specific number of certificates – specify the number of keys you want to recover. For example, if you specify 3, the three most recent keys will be recovered.
    • Select Certificates to recover manually – select the certificates from a list of all available certificates.

  4. Click Next.

    Carry out one of the following, depending on the option you selected on the previous screen:

    • Select a date. All certificates issued after this date will be recovered.

    • Type a number of certificates. That number of the most recent certificates will be recovered.

    • Use the Add button to select certificates from the Available Certificates list.

  5. Type a Reason for Recovery in the text box.

  6. Click Next.

    The options available depend on how the Recovery Storage option on the certificate policy is configured. See section 6.4.3, Options for recovering soft certificates.

  7. Select one of the following options:

    • Recover the certificate to a smart card

      Insert the card to which to you want to recover the certificate, click Confirm to confirm the card, type the PIN, then click Next. MyID writes the recovered certificates to the card.

    • Recover the certificate to a password protected file or the local store

      Note: The options available depend on how the Storage method allowed for certificate recovery configuration option is configured. This option may be labeled Recover the certificate to a password protected file or Recover the certificate to the local store if only those options are available instead of both. See section 6.4.3, Options for recovering soft certificates.

      If both methods are available, choose one of the following subsequent options:

      • Add the certificate to the local store

        The certificate is added to the local store automatically.

      • Export the certificate and private key as a PFX file

        Click Enter protection password then choose destination, type the password for the certificate, and click Save.

        You can use the following characters in PFX passwords:

        a-z A-Z 0-9 ! \ " # $ % ' ( ) * + - . / : ; = ? @

        Note: You cannot use spaces.

Note: Using the Recover Certificates workflow on a card with named certificate containers will overwrite any existing certificates in historic certificate containers with the certificates you selected, or which were automatically selected for recovery. This includes any historic certificates written to the card during issuance. If an operator recovers their own certificates to the card, their current live encryption certificate may be recovered to a historic container (in addition to its presence in the live archived container).

6.4.2 Recovering your own certificates

Note: The Recover My Certificates workflow is not automatically assigned to any roles. If you want people to be able to recover their own certificates, use the Edit Roles workflow to make it available.

To recover certificates to your own card:

  1. From the Certificates category, click Recover My Certificates.

    Note: You can also launch this workflow from the self-service menu in the MyID Operator Client. See the Launching self-service workflows section in the MyID Operator Client guide for details.

  2. Follow the same process as for the Recover Certificates workflow; see section 6.4.1, Recovering someone else's certificates above.

6.4.3 Options for recovering soft certificates

The certificate recover method is determined at the point of recovery, rather than at the point of issuance; if you change the Recovery Storage option on the certificate policy, or change the global Storage method allowed for certificate recovery configuration option, it affects all issued soft certificates.

The following table describes how the Recovery Storage (certificate policy) and the Storage method allowed for certificate recovery (global configuration setting) options affect the recovery of soft certificates:

 

Recovery Storage

Storage method allowed for certificate recovery

Hardware

Software

Both

Save to PFX

Can recover to smart card.

Can recover to encrypted PFX.

Can recover to smart card or to encrypted PFX.

Local Store

Can recover to smart card.

Can recover to user's local certificate store.

Can recover to smart card or to user's local certificate store.

Both

Can recover to smart card.

Can recover to encrypted PFX or to user's local certificate store.

Can recover to smart card, to encrypted PFX, or to user's local certificate store.