15.4 Collecting recovered keys

Once you have created a request for recovered keys, you can collect the device or the device update. An operator can collect a key recovery device for any user within their scope, or the certificate owner can collect their own device through a self-service operation.

Similarly, an operator can collect a key recovery device update for any user within their scope, as long as they have the device present, or the device owner can update their own device through a self-service operation.

These key recovery requests are treated the same as other device requests and device update requests, subject to the same scope checking and role restrictions based on the associated credential profile.

15.4.1 Collecting recovered keys to a new smart card

When you request key recovery to a new smart card, MyID creates a device request. You can then use the collect operation to collect the key recovery device or PFX containing the recovered archived certificates.

Note: If the credential profile has the Validate Issuance option set, an operator must approve the request using the Approve Request option on the View Request screen before you can collect the smart card. You cannot use the Approve Key Recovery workflow in MyID Desktop; this workflow is for key recovery requests initiated through MyID Desktop only, not for key recovery requests initiated through the MyID Operator Client or the MyID Core API.

The device owner can collect their key recovery smart card in the following ways:

An operator can collect a device request in the following ways:

15.4.2 Collecting recovered keys as soft certificates

When you request key recovery to a soft certificate package, MyID creates a device request that you can collect as a downloaded PFX file or add automatically to your system store (depending on the Software certificate recovery location option in the Key Recovery section of the credential profile; see the Setting up the credential profile for key recovery section in the Administration Guide).

Note: If the credential profile has the Validate Issuance option set, an operator must approve the request using the Approve Request option on the View Request screen before you can collect the soft certificates. You cannot use the Approve Key Recovery workflow in MyID Desktop; this workflow is for key recovery requests initiated through MyID Desktop only, not for key recovery requests initiated through the MyID Operator Client or the MyID Core API.

An operator can collect the soft certificate request for any user within their scope, and the certificate owner can collect their own soft certificate.

In either case, to collect the soft certificate, in the MyID Operator Client, from the View Request screen for the key recovery request, click Collect from the options at the bottom of the screen.

For more information about collecting soft certificates, see section 14.1, Collecting a soft certificate.

15.4.3 Collecting recovered keys to an existing device

When you request key recovery to an existing device, MyID creates a device update request for the specified device. You can then use a device update operation to collect the certificates onto the device.

Important: When you select the certificates to be recovered to the device to create the request, if you deselect a certificate that is already on the device, the device update process removes the certificate. Make sure the list of certificates you include in the recovery request includes all of the certificates you want to include on the device.

The device owner can update their device in the following ways:

An operator can assist with updating a device with recovered certificates in the following ways:

Note: The device owner must be present to insert their PIN for the update to proceed.

15.4.4 Known issues