Red Hat CERTIFICATE SYSTEM 7.2 - ADMINISTRATION Administration Manual page 180

Chapter 7. Token Processing System
When a user loses a token, the user must first get a replacement token. If a new enrollment is
attempted with this new token, the TPS blocks the enrollment since the user already has an active
token.
The token status in the database must be changed to lost. This action is performed through the TPS
agent services page. The TPS agent, after affirmatively identifying the user, can search for the user's
ID in the Search tokens link. The TPS agent select the active token and update the status, with the
appropriate reason to recover the key.
• This token has been physically damaged. Used if the token is known to be destroyed.
• This token has been permanently lost. Used if the token is lost or stolen, so the key is compromised.
The certificates on the token are revoked
• This token has been temporarily lost. Used if the token is mislaid. The certificates on the token are
revoked
There are two different schemes for recovery: GenerateNewKey, to create a new key and certificate,
and RecoverLast, to recover the last encryption key and associated certificate.
The user can enroll for a replacement token. It is preferred that signing keys be generated on the
smart card and not archived so that if the smart card is lost, new signing keys and certificates must be
regenerated on the token, and temporary certificates created. The definition for which keys should be
regenerated and which keys should be recovered is set in the following TPS CS.cfg parameters:
• For damaged tokens:
op.enroll.userKey.keyGen.recovery.destroyed.keyType.num=2
op.enroll.userKey.keyGen.recovery.destroyed.keyType.value.0=signing
op.enroll.userKey.keyGen.recovery.destroyed.keyType.value.1=encryption
op.enroll.userKey.keyGen.signing.recovery.destroyed.scheme=GenerateNewKey
op.enroll.userKey.keyGen.encryption.recovery.destroyed.scheme=RecoverLast
• For tokens which are permanently lost:
op.enroll.userKey.keyGen.recovery.keyCompromise.keyType.num=2
op.enroll.userKey.keyGen.recovery.keyCompromise.keyType.value.0=signing
op.enroll.userKey.keyGen.recovery.keyCompromise.keyType.value.1=encryption
op.enroll.userKey.keyGen.signing.recovery.keyCompromise.scheme=GenerateNewKey
op.enroll.userKey.keyGen.encryption.recovery.keyCompromise.scheme=GenerateNewKey
• For tokens which are temporarily lost:
op.enroll.userKeyTemporary.keyGen.recovery.onHold.keyType.num=2
op.enroll.userKeyTemporary.keyGen.recovery.onHold.keyType.value.0=signing
op.enroll.userKeyTemporary.keyGen.recovery.onHold.keyType.value.1=encryption
op.enroll.userKeyTemporary.keyGen.signing.recovery.onHold.scheme=GenerateNewKey
op.enroll.userKeyTemporary.keyGen.encryption.recovery.onHold.scheme=GenerateNewKey
Set revokeCert=true to revoke certificates if a token's certificates are replaced after being lost.
op.enroll.userKey.keyGen.signing.revokeCert=true
160