2.2.3.1 Key Recovery Certificate

  • Article

A CA MAY use one or more locally configured and specified key recovery keys to encrypt the private key of a client, which is submitted to the CA encapsulated in a certificate enrollment request.

A key recovery certificate MUST contain the following fields and extensions identified in [RFC3280]:

  • Version

  • Serial Number

  • Signature

  • notBefore

  • notAfter

  • Subject

  • Issuer

  • Subject Public Key Info

  • Authority Key Identifier

  • Subject Key Identifier

  • Authority Information Access

  • Key Usage (Key Encipherment = 0x20)

  • CDP (CRL Distribution Point)

  • Extended Key Usage (Key Recovery OID = szOID_KP_KEY_RECOVERY_AGENT (1.3.6.1.4.1.311.21.6)).<18>