15.3 Requesting a key recovery
Before you can recover keys from archived certificates, you must request a key recovery. This can be one of the following:
-
A request to update an existing smart card with the certificates required.
If you want to recover certificates to an existing device, you must specify the device onto which you want to issue the recovered certificates. This device must be issued to the owner of the certificates you want to recover.
You can do this either through the View Person screen or the View Device screen.
-
A request to issue a new smart card to hold the certificates – this is controlled by credential profile configuration.
-
A request to recover the certificates as soft certificates (for example, PFX files, or directly to the system store) – this is controlled by credential profile configuration.
15.3.1 Recovering certificates to an existing device through the View Person screen.
To recover certificates to an existing device through the View Person screen:
-
Search for a person, and view their details.
See section 4.1, Searching for a person for details.
If you want to recover certificates for yourself, you can open the View Person screen for your own account using the View My Account option on the MyID Operator Client self-service menu.
You can also view a person's details from any form that contains a link to their account.
For example:
- Click the link icon
on the Full Name field of the View Request form. - Click the link icon on the Owner field of the View Device form.
- Click the link icon
-
Click the option in the button bar at the bottom of the screen.
You may have to click the ... option to see any additional available actions.
Note: The Recover Certificates To Issued Device option appears on the View Person screen for your own account only if the Allow self requests configuration option on the Self-Service page of the Security Settings workflow is set. See section 15.2, Setting up permissions for key recovery.
The device search screen appears.
-
Enter any search criteria you want to apply, then click Search.
The list of matching devices belonging to the person appears.
Note: You must have permissions to the Devices To Recover report that is embedded in this screen; see section 15.2, Setting up permissions for key recovery.
-
Select a device from the list, then click Select.
The list of available certificates to recover appears.
Note: You must have permissions to the Certificates To Recover To Device report that is embedded in this screen; see section 15.2, Setting up permissions for key recovery.
This screen displays the certificates belonging to the device owner that you can recover to the device.
-
Select the certificates you want to recover to the device.
Important: The Currently On Device column displays whether the certificate is already on the selected device. If you do not select a certificate that is already on the device, the device update process removes the certificate. Make sure the list of certificates includes all of the certificates you want to include on the device.
-
Click Save.
MyID creates an update request for the device.
You can now collect this update; for example, click on the link in the Device Serial Number box to display the View Device screen, then select the Collect Updates option in the button bar at the bottom of the screen. Alternatively, the device owner can collect the updates as a self-service operation. See section 15.4.3, Collecting recovered keys to an existing device.
15.3.2 Recovering certificates to an existing device through the View Device screen
To recover certificates to an existing device through the View Device screen:
-
Search for a device, and view its details.
See section 5.1, Searching for a device.
Alternatively, insert the device into a reader.
See section 5.2, Reading a device.
If you want to recover your own certificates to your own existing device, you can find your devices using the My Devices option on the MyID Operator Client self-service menu.
You can also view a device from any form that contains a link to the device.
For example:
- Click the item in the list on the Devices tab of the View Person form.
- Click the link icon on the Device Serial Number field of the View Request form.
-
Click the Recover Certificates To This Device option in the button bar at the bottom of the screen.
You may have to click the ... option to see any additional available actions.
The Recover Certificates To This Device screen appears.
Note: You must have permissions to the Certificates To Recover To Device report that is embedded in this screen; see section 15.2, Setting up permissions for key recovery.
This screen displays the certificates belonging to the device owner that you can recover to the device.
-
Select the certificates you want to recover to the device.
Important: The Currently On Device column displays whether the certificate is already on the selected device. If you do not select a certificate that is already on the device, the device update process removes the certificate. Make sure the list of certificates includes all of the certificates you want to include on the device.
-
Click Save.
MyID creates an update request for the device.
You can now collect this update; for example, click on the link in the Device Serial Number box to display the View Device screen, then select the Collect Updates option in the button bar at the bottom of the screen. Alternatively, the device owner can collect the updates as a self-service operation. See section 15.4.3, Collecting recovered keys to an existing device.
15.3.3 Recovering certificates to a new device or soft certificate package
Instead of recovering certificates to the certificate owner's existing device, you can issue the recovered certificates to a dedicated key recovery device. These devices are limited in their use, and are intended only to store the recovered certificates.
You can use either a smart card or a soft certificate package to contain the recovered certificates; this is determined by the credential profile. See the Setting up the credential profile for key recovery section in the Administration Guide.
To request a key recovery device:
-
Search for a person, and view their details.
See section 4.1, Searching for a person for details.
If you want to recover certificates for yourself, you can open the View Person screen for your own account using the View My Account option on the MyID Operator Client self-service menu.
You can also view a person's details from any form that contains a link to their account.
For example:
- Click the link icon on the Full Name field of the View Request form.
- Click the link icon on the Owner field of the View Device form.
- Click the link icon
-
Click the Recover Certificates To New Device option in the button bar at the bottom of the screen.
You may have to click the ... option to see any additional available actions.
Note: The Recover Certificates To New Device option appears on the View Person screen for your own account only if the Allow self requests configuration option on the Self-Service page of the Security Settings workflow is set. See section 15.2, Setting up permissions for key recovery.
The Recover Certificates To New Device screen appears.
-
Select a Credential Profile from the drop-down list.
If only one key recovery credential profile is available, it is selected automatically. You may have multiple credential profiles available; for example, one credential profile for recovering certificates to a physical smart card, and another for recovering certificates to a PFX.
-
Optionally, type a Label to the request.
You can use this label to search for the request.
-
Select the certificates you want to recover.
Note: Check the Storage Policy column to ensure that the certificates can be recovered to your chosen device; for example, you cannot recover a certificate with a storage policy of Hardware to a soft certificate.
-
Click Save.
MyID creates a request for the device or soft certificates.
You can now collect this device or soft certificates; for example, click the Collect option in the button bar at the bottom of the screen. Alternatively, the device owner can collect the device as a self-service operation. See section 15.4.1, Collecting recovered keys to a new smart card and section 15.4.2, Collecting recovered keys as soft certificates for details.
