2.2.2.2 Key Recovery Certificate
A key recovery certificate is a prerequisite for certificate enrollment that encapsulates a private key for the purposes of key escrow (also referred to as key archival) to a CA.<3> A CA MAY use one or more locally configured and specified key recovery certificates to encrypt the private key of a client submitted to the CA encapsulated in a certificate enrollment request.
A key recovery certificate contains the following X.509v1 fields:
Version
Serial Number
Signature Algorithm
Valid From
Valid To
Subject
Issuer
Public Key
A key recovery certificate contains the following X.509v3 extensions identified in section 4.2.1 of [RFC3280]:
Authority Key Identifier
Subject Key Identifier
Authority Information Access
Key Usage (Key Encipherment = 0x20)
Subject Alternative Name
CDP (CRL Distribution Point)
Extended Key Usage (Key Recovery OID = 1.3.6.1.4.1.311.21.6)