2.2.2.2 Key Recovery Certificate

A key recovery certificate is a prerequisite for certificate enrollment that encapsulates a private key for the purposes of key escrow (also referred to as key archival) to a CA.<3> A CA MAY use one or more locally configured and specified key recovery certificates to encrypt the private key of a client submitted to the CA encapsulated in a certificate enrollment request.

A key recovery certificate contains the following X.509v1 fields:

• Version

• Serial Number

• Signature Algorithm

• Valid From

• Valid To

• Subject

• Issuer

• Public Key

A key recovery certificate contains the following X.509v3 extensions identified in section 4.2.1 of [RFC3280]:

• Authority Key Identifier

• Subject Key Identifier

• Authority Information Access

• Key Usage (Key Encipherment = 0x20)

• Subject Alternative Name

• CDP (CRL Distribution Point)

• Extended Key Usage (Key Recovery OID = 1.3.6.1.4.1.311.21.6)