Collecting recovered keys

15.4 Collecting recovered keys

Once you have created a request for recovered keys, you can collect the device or the device update. An operator can collect a key recovery device for any user within their scope, or the certificate owner can collect their own device through a self-service operation.

Similarly, an operator can collect a key recovery device update for any user within their scope, as long as they have the device present, or the device owner can update their own device through a self-service operation.

These key recovery requests are treated the same as other device requests and device update requests, subject to the same scope checking and role restrictions based on the associated credential profile.

15.4.1 Collecting recovered keys to a new smart card

When you request key recovery to a new smart card, MyID creates a device request. You can then use the collect operation to collect the key recovery device or PFX containing the recovered archived certificates.

Note: If the credential profile has the Validate Issuance option set, an operator must approve the request using the Approve Request option on the View Request screen before you can collect the smart card. You cannot use the Approve Key Recovery workflow in MyID Desktop; this workflow is for key recovery requests initiated through MyID Desktop only, not for key recovery requests initiated through the MyID Operator Client or the MyID Core API.

The device owner can collect their key recovery smart card in the following ways:

Through the self-service menu in the MyID Operator Client.

Open the self-service menu in the MyID Operator Client, then select the collect job from the list.

Note: You may have to click Check for Updates first.
Through one of the self-service applications (the Self-Service App, the MyID Client for Windows, or the MyID Client for Mac).

Open the self-service application, then select the Collect Security Device task from the list.

An operator can collect a device request in the following ways:

In the MyID Operator Client, on the View Request screen for the key recovery request, click Collect from the options at the bottom of the screen.
In MyID Desktop, from the Cards category, select Collect Card.

15.4.2 Collecting recovered keys as soft certificates

When you request key recovery to a soft certificate package, MyID creates a device request that you can collect as a downloaded PFX file or add automatically to your system store (depending on the Software certificate recovery location option in the Key Recovery section of the credential profile; see the Setting up the credential profile for key recovery section in the Administration Guide).

Note: If the credential profile has the Validate Issuance option set, an operator must approve the request using the Approve Request option on the View Request screen before you can collect the soft certificates. You cannot use the Approve Key Recovery workflow in MyID Desktop; this workflow is for key recovery requests initiated through MyID Desktop only, not for key recovery requests initiated through the MyID Operator Client or the MyID Core API.

An operator can collect the soft certificate request for any user within their scope, and the certificate owner can collect their own soft certificate.

In either case, to collect the soft certificate, in the MyID Operator Client, from the View Request screen for the key recovery request, click Collect from the options at the bottom of the screen.

For more information about collecting soft certificates, see section 14.1, Collecting a soft certificate.

15.4.3 Collecting recovered keys to an existing device

When you request key recovery to an existing device, MyID creates a device update request for the specified device. You can then use a device update operation to collect the certificates onto the device.

Important: When you select the certificates to be recovered to the device to create the request, if you deselect a certificate that is already on the device, the device update process removes the certificate. Make sure the list of certificates you include in the recovery request includes all of the certificates you want to include on the device.

The device owner can update their device in the following ways:

Through the self-service menu in the MyID Operator Client.

Open the self-service menu in the MyID Operator Client, then select the update job from the list.

Note: You may have to click Check for Updates first.
Through one of the self-service applications (the Self-Service App, the MyID Client for Windows, or the MyID Client for Mac).

Open the self-service application, then select the Update Security Device task from the list.

An operator can assist with updating a device with recovered certificates in the following ways:

In the MyID Operator Client, from the View Device screen for the device you want to update, click Collect Updates from the options at the bottom of the screen.
In MyID Desktop, from the Cards category, select Collect Updates, then insert the device you want to update.

Note: The device owner must be present to insert their PIN for the update to proceed.

15.4.4 Known issues

IKB-435 – Device updates after key recovery has been collected may remove the selected certificates

When a key recovery request has been processed that recovers a selection of certificates to a device, a subsequent update to that device may remove the certificates depending on the credential profile configuration. As update and reprovision requests for a device synchronize the device’s assigned credential profile, the selected key history may be removed.

To address this, you are recommended to repeat the key recovery request for the device.