15 Recovering keys

You can use the MyID Operator Client to request a smart card, VSC, Windows Hello credential, or soft certificate package containing recovered certificates and keys.

You can recover these keys to a new, dedicated device that is used only to store recovered keys, or you can add the recovered keys to an existing issued device. In either case, you must issue the recovered keys to the original owner of the certificate.

See the Key recovery section in the Administration Guide for more information about key recovery; in particular, see the Setting up the credential profile for key recovery section for details of setting up a credential profile for a key recovery device. Note, however, that the collection procedure for key recovery requests made through the MyID Core API or the MyID Operator Client is different from the collection procedure for requests made through MyID Desktop.

If the certificate policy is configured to use MyID SecureVault to archive its keys, you can recover the keys from the MyID SecureVault key store; see the Integrating with MyID SecureVault section in the Administration Guide for details.

See the Requesting key recovery section in the MyID Core API guide for details of using the MyID Core API to request key recovery operations.

This chapter contains information on the following:

• An overview of the key recovery process.

  See section 15.1, What is key recovery?

• Setting up permissions for key recovery, including permissions to the embedded reports used within the key recovery screens.

  See section 15.2, Setting up permissions for key recovery.

• Requesting key recovery, either to a dedicated key recovery device or to an existing issued device.

  See section 15.3, Requesting a key recovery.

• Collecting a key recovery, either to a dedicated key recovery device or as an update to an existing device.

  See section 15.4, Collecting recovered keys.