18.1 Setting up the credential profile for key recovery

If you want to collect recovered keys onto smart cards or to soft certificate packages, you must set up at least one credential profile with the Key Recovery Only option. Credential profiles with this option cannot be used for any other smart card requests.

To set up the credential profile:

  1. From the Configuration category, select Credential Profiles.
  2. Click New.
  3. Type a Name and Description for the credential profile.

  4. In the Card Encoding section, select one of the following:

    • Contact Chip

    • Microsoft Virtual Smart Card

    • Windows Hello

    • Software Certificates (Only)

  5. For key recovery devices other than software certificates, click Services.

    If you select the MyID Encryption option, the MyID keys on the card are used to secure the transport of the recovered keys; otherwise, the software-based signing mechanism is used. Both methods are secure, but the MyID Encryption option provides additional security.

    Note: Do not select the MyID Logon option. Key recovery cards must not be used to access MyID.

    This option does not affect soft certificates.

  6. Click Key Recovery.

  7. Set the Key Recovery Only option.

    The Validate Issuance option (in the Issuance Settings section) is automatically selected. This allows you to use the Approve Key Recovery workflow (for requests made through MyID Desktop) or the Approve Request option (for requests made through the MyID Operator Client or the MyID Core API) to validate the key recovery request.

  8. If you are issuing recovered keys to soft certificate packages, select the Software certificate recovery location from the drop-down list:

    • File Store – the certificate is exported to a password-protected PFX file.

    • System Store – the certificate is stored automatically in the Personal certificate store of the logged-on Windows user.

    • Autosave – when collecting the request through the MyID Operator Client, the certificate package is automatically saved to the first empty USB device found attached to the PC.

    See section 11.5, Setting up a credential profile for soft certificates for further details of these options.

  9. If you want to issue the card with a randomly-generated PIN:

    1. Click PIN Settings.

    2. From the Issue With drop-down list, select Server Generated PIN.

    3. Either:

      • Select the Email PIN option to send an email message containing the randomly-generated PIN for the card to the recipient.

      or:

      • Click Mail Documents, then select the Card Issuance Mailing Document.

        This is a mail-merge document that contains information about the key recovery card, including the PIN. You can use this as an alternative to sending the PIN in an email message.

      Note: If you do not want the generated PIN to be shown during collection, you must ensure that the Show Generated PINs option is set to No on the PINs page of the Security Settings workflow.

      For more information, see section 31.4, PINs page (Security Settings).

  10. For Contact Chip or Windows Virtual Smart Card key recovery devices, click Device Profiles, then select a Card Format.

    Note: Do not select a PIV data model if the cardholder does not have biometrics enrolled.

  11. Click Next.
  12. Complete the workflow. You must specify which roles can receive and issue these devices; for physical cards, you can specify a card layout to be used on printed key recovery cards.