Red Hat SummitCe contenu n'est pas disponible dans la langue sélectionnée.
Chapter 4. Setting up key archival and recovery
This chapter explains how to setup the Key Recovery Authority (KRA), previously known as Data Recovery Manager (DRM), to archive private keys and to recover archived keys for restoring encrypted data.
For more information on key archival and recovery, see the Archiving, recovering, and rotating keys section in the Red Hat Certificate System Planning, Installation, and Deployment Guide.
This chapter only discusses archiving keys through client-side key generation. Server-side key generation and archivals, whether it’s initiated through TPS, or through CA’s End Entity portal, are not discussed here.
For information on smart card key recovery, see Section 6.10.1, “Setting up Server-side Key Generation”.
For information on server-side key generation provided at the CA’s EE portal, see Section 5.2.2, “Generating CSRs using Server-Side Key Generation”.
Gemalto SafeNet LunaSA only supports PKI private key extraction in its CKE - Key Export model, and only in non-FIPS mode. The LunaSA Cloning model and the CKE model in FIPS mode do not support PKI private key extraction.
When the KRA is installed, it joins a security domain, and is paired up with the CA. At such time, it is configured to archive and recover private encryption keys. However, if the KRA certificates are issued by an external CA rather than one of the CAs within the security domain, then the key archival and recovery process must be set up manually.
For more information, see the Manually setting up key archival section in the Red Hat Certificate System Planning, Installation, and Deployment Guide.
In a cloned environment, it is necessary to set up key archival and recovery manually. For more information, see the Updating CA-KRA connector information after cloning section in the Red Hat Certificate System Planning, Installation, and Deployment Guide.
4.1. Configuring agent-approved key recovery in the Console
While the number of key recovery agents can be configured in the Console, the group to use can only be set directly in the CS.cfg file. The Console uses the Key Recovery Authority Agents Group by default.
Open the KRA’s console. For example:
pkiconsole https://server.example.com:8443/kra
Notepkiconsoleis being deprecated.- Click the Key Recovery Authority link in the left navigation tree.
Enter the number of agents to use to approve key recover in the Required Number of Agents field.
For more information on how to configure agent-approved key recovery in the CS.cfg file, see the Configuring agent-approved key recovery in the command line section in the Red Hat Certificate System Planning, Installation, and Deployment Guide.
4.2. Testing the key archival and recovery setup
Newer browsers do not support key archival from the browser; for Step 1, one should substitute CRMF generation clients for those browsers.
To test whether a key can be successfully archived:
- Enroll for dual certificates using the CA’s Manual User Signing & Encryption Certificates Enrollment form.
- Submit the request. Log in to the agent services page, and approve the request.
- Log into the end-entities page, and check to see if the certificates have been issued. In the list of certificates, there should be two new certificates with consecutive serial numbers.
- Import the certificates into the web browser.
- Confirm that the key has been archived. In the KRA’s agent services page, select Show completed requests. If the key has been archived successfully, there will be information about that key. If the key is not shown, check the logs, and correct the problem. If the key has been successfully archived, close the browser window.
- Verify the key. Send a signed and encrypted email. When the email is received, open it, and check the message to see if it is signed and encrypted. There should be a security icon at the top-right corner of the message window that indicates that the message is signed and encrypted.
- Delete the certificate. Check the encrypted email again; the mail client should not be able to decrypt the message.
Test whether an archived key can be recovered successfully:
- Open the KRA’s agent services page, and click the Recover Keys link. Search for the key by the key owner, serial number, or public key. If the key has been archived successfully, the key information will be shown.
- Click .
- In the form that appears, enter the base-64 encoded certificate that corresponds to the private key to recover; use the CA to get this information. If the archived key was searched for by providing the base-64 encoded certificate, then the certificate does not have to be supplied here.
Make sure that the Async Recovery checkbox is selected to allow the browser session to be closed while recovery is ongoing.
TIPAn async recovery is the default and recommended way to perform a key recovery. If you want to perform a synchronous key recovery, the browser window cannot be shut and the KRA cannot be stopped during the recovery process.
- Depending on the agent scheme, a specified number of agents must authorize this key recovery. Have the agents search for the key to recover and then to approve the initiated recovery.
- Once all the agents have authorized the recovery, the next screen requests a password to encrypt the PKCS #12 file with the certificate.
The next screen returns a link to download a PKCS #12 blob containing the recovered key pair. Follow the link, and save the blob to file.
ImportantOpening the PKCS #12 file directly from the browser in the
gcr-viewerutility can fail in certain situations. To work around the problem, download the file and manually open it ingcr-viewer.
-
Restore the key to the browser’s database. Import the
.p12file into the browser and mail client. - Open the test email. The message should be shown again.
