Overview of the key recovery process

10.1 Overview of the key recovery process

Using the API, you create a request. This can be one of the following:

A request to update an existing smart card with the certificates required.
A request issue a new smart card to hold the certificates – this is controlled by credential profile configuration.
A request to recover the certificates as PFX files – this is controlled by credential profile configuration.

For certificates to be issued as software certificates, or to a new card, the credential profile may require a MyID operator to carry out an approval step.

You can configure MyID to generate a notification to a REST API endpoint when these requests are created; see the REST Request Added notification section in the REST Web Service Notifications guide for more information.

For requests to update an existing smart card:

Where the end user has the Self-Service App, the MyID Client for Windows, or the MyID Client for Mac installed, they can receive a notification for the request or they can check for available tasks manually.
An operator can assist the end user in collecting these requests to the card specified using the Collect Updates feature in the MyID Operator Client; note that the cardholder must enter the user PIN for the device during the process.

For requests to recover the certificates as a new card issuance:

The owner of the certificates can collect the request as a self-service operation, or an operator can collect the key recovery device.
Where the end user has the Self-Service App, the MyID Client for Windows, or the MyID Client for Mac installed, they can receive a notification for the request or they can check for available tasks manually.

For requests to recover the certificates as pfx files:

The owner of the certificates can collect the request as a self-service operation or an operator can collect the request.
A self-service user can collect the certificates by logging on to the MyID Operator Client and downloading the certificates.

You can configure MyID to send an email notification to the certificate owner when certificates are recovered to confirm that the event took place.

You can view certificate recovery information by looking at the certificate instances tab on a certificate record in the MyID Operator Client. See the Viewing a certificate section in the MyID Operator Client guide.

Details are also included in the audit (see the Running the audit report section in the Administration Guide) and you can view the recovery requests in the MyID Operator Client; see the Searching for a request section in the MyID Operator Client guide.

Note: The API features do not currently replace any key recovery processes for third-party investigation – you must continue to use the existing features as described in the Key recovery section in the Administration Guide.