Red Hat CERTIFICATE SYSTEM 8 - DEPLOYMENT Deployment Manual page 41

a. The end entity, using a client which can generate dual key pairs, submits a request through
the Certificate Manager enrollment form.
b. The client detects the JavaScript in the enrollment form and exports only the private
encryption key, not the private signing key.
c. The Certificate Manager detects the key archival option in the request and asks the client for
the private encryption key.
d. The client encrypts the private encryption key with the public key from the DRM's transport
certificate embedded in the enrollment form.
2. After approving the certificate request and issuing the certificate, the Certificate Manager sends
it to the DRM for storage, along with the public key. The Certificate Manager waits for verification
from the DRM that the private key has been received and stored and that it corresponds to the
public encryption key.
3. The DRM decrypts it with the private key. After confirming that the private encryption key
corresponds to the public encryption key, the DRM encrypts it again with its public key pair of the
storage key before storing it in its internal database.
4. Once the private encryption key has been successfully stored, the DRM uses the private key of its
transport key pair to sign a token confirming that the key has been successfully stored; the DRM
then sends the token to the Certificate Manager.
5. The Certificate Manager issues two certificates for the signing and encryption key pairs and
returns them to the end entity.
Both subsystems subject the request to configured certificate profile constraints at appropriate stages.
If the request fails to meet any of the profile constraints, the subsystem rejects the request.
2.1.4.2. Key Recovery
The DRM supports agent-initiated key recovery. Agent-initiated recovery is when designated recovery
agents use the key recovery form on the DRM agent services page to process and approve key
recovery requests. With the approval of a specified number of agents, an organization can recover
keys when the key's owner is unavailable or when keys have been lost.
Through the DRM agent services page, key recovery agents can collectively authorize and retrieve
private encryption keys and associated certificates in a PKCS #12 package, which can then be
imported into the client. (This is explained in more detail in the Certificate System Agent's Guide.) To
authorize key recovery, the required number of recovery agents access the DRM agent services page
and use the Authorize Recovery button to enter each authorization separately.
In key recovery authorization, one of the key recovery agents informs all required recovery agents
about an impending key recovery. All recovery agents access the DRM key recovery page. One of
the agents initiates the key recovery process. The DRM returns a notification to the agent includes
a recovery authorization reference number identifying the particular key recovery request that the
agent is required to authorize. Each agent uses the reference number and authorizes key recovery
separately.
The DRM informs the agent who initiated the key recovery process of the status of the authorizations.
About the Data Recovery Manager (DRM)
31