2.2.2.2 Key Recovery Certificate

A key recovery certificate is a prerequisite for certificate enrollment that encapsulates a private key for the purposes of key escrow (also referred to as key archival) to a CA.<3> A CA MAY use one or more locally configured and specified key recovery certificates to encrypt the private key of a client submitted to the CA encapsulated in a certificate enrollment request.

A key recovery certificate contains the following X.509v1 fields:

  • Version

  • Serial Number

  • Signature Algorithm

  • Valid From

  • Valid To

  • Subject

  • Issuer

  • Public Key

A key recovery certificate contains the following X.509v3 extensions identified in section 4.2.1 of [RFC3280]:

  • Authority Key Identifier

  • Subject Key Identifier

  • Authority Information Access

  • Key Usage (Key Encipherment = 0x20)

  • Subject Alternative Name

  • CDP (CRL Distribution Point)

  • Extended Key Usage (Key Recovery OID = 1.3.6.1.4.1.311.21.6)