Setting Up Key Archival; Setting Up Key Recovery - Red Hat CERTIFICATE SYSTEM 7.2 - ADMINISTRATION Administration Manual

6.6.1. Setting up Key Archival

To set up key archival, do the following:
1. Connect the Certificate Manager and the DRM.
For the CA to be able to request key archival of the DRM, the two subsystems must be configured
to recognize, trust, and communicate with each other.
Verify that the Certificate Manager has been set up as a privileged user, with an appropriate SSL
client authentication certificate, in the internal database of the DRM. By default, the Certificate
Manager uses its subsystem certificate for SSL client authentication to the DRM.
Follow the instructions in
trusted manager to the DRM.
2. Copy the base-64 encoded transport certificate.
The transport certificate is stored in the DRM's certificate database, which can be retrieved using
the certutil utility. If the transport certificate is signed by a Certificate Manager, then a copy of
the certificate is available through the Certificate Manager end-entities page in the Retrieval tab.
3. Add the transport certificate to the CA's CS.cfg file.
ca.connector.KRA.enable=true
ca.connector.KRA.host=server.example.com
ca.connector.KRA.local=false
ca.connector.KRA.nickName=subsystemCert cert-rhpki-ca
ca.connector.KRA.port=10443
ca.connector.KRA.timeout=30
ca.connector.KRA.transportCert=MIIDbDCCAlSgAwIBAgIBDDANBgkqhkiG9w0BAQUFADA6MRgwFgYDVQQKEw9E
b21haW4gc28gbmFtZWQxHjAcBgNVBAMTFUNlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0wNjExMTQxODI2NDdaFw0wODEwMTQxNzQwN
BTsU5A2sRUwNfoZSMs/d5KLuXOHPyGtmC6yVvaY719hr9EGYuv0Sw6jb3WnEKHpjbUO/
vhFwTufJHWKXFN3V4pMbHTkqW/x5fu/3QyyUre/5IhG0fcEmfvYxIyvZUJx+aQBW437ATD99Kuh+I+FuYdW
+SqYHznHY8BqOdJwJ1JiJMNceXYAuAdk+9t70RztfAhBmkK0OOP0vH5BZ7RCwE3Y/6ycUdSyPZGGc76a0HrKOz
+lwVFulFStiuZIaG1pv0NNivzcj0hEYq6AfJ3hgxcC1h87LmCxgRWUCAwEAAaN5MHcwHwYDVR0jBBgwFoAURShCYtSg
+Oh4rrgmLFB/
Fg7X3qcwRAYIKwYBBQUHAQEEODA2MDQGCCsGAQUFBzABhihodHRwOi8vY2x5ZGUucmR1LnJlZGhhdC5jb206OTE4MC9jYS9vY3NwMA
wQEAwIE8DANBgkqhkiG9w0BAQUFAAOCAQEAFYz5ibujdIXgnJCbHSPWdKG0T
+FmR67YqiOtoNlGyIgJ42fi5lsDPfCbIAe3YFqmF3wU472h8LDLGyBjy9RJxBj+aCizwHkuoH26KmPGntIayqWDH/
UGsIL0mvTSOeLqI3KM0IuH7bxGXjlION83xWbxumW/kVLbT9RCbL4216tqq5jsjfOHNNvUdFhWyYdfEOjpp/
UQZOhOM1d8GFiw8N8ClWBGc3mdlADQp6tviodXueluZ7UxJLNx3HXKFYLleewwIFhC82zqeQ1PbxQDL8QLjzca
+IUzq6Cd/t7OAgvv3YmpXgNR0/xoWQGdM1/YwHxtcAcVlskXJw5ZR0Y2zA==
ca.connector.KRA.uri=/kra/agent/kra/connector

6.6.2. Setting up Key Recovery

The DRM supports agent-initiated key recovery, in which private encryption keys are recovered by
designated key recovery agents. To set up agent-initiated key recovery, do the following:
1. Set the number of recovery managers to require to approve a recovery, and set the group to which
these users must belong. These parameters are set in the DRM's CS.cfg configuration file:
kra.noOfRequiredRecoveryAgents=1
kra.recoveryAgentGroup=Data Recovery Manager Agents
Section 16.3, "Setting up a Trusted Manager"
Setting up Key Archival
and set up the CA as a
147