Configuring Key History Recovery

This section explains how to recover the key history directly from the Entrust CA.

In addition to the existing key history recovery feature where ActivID CMS tracks the certificate issued to a smart card, ActivID CMS is also capable of querying the Entrust CA for the user key history and retrieving the user key history from the Entrust CA.

This provides the ability to recover escrowed certificates that were issued outside of the knowledge of ActivID CMS, as well as the ability to recover certificates outside the regular smart card replacement/renewal workflow.

Different CAs handle the key history in a different way. The key history recovery feature enables the credential provider to retrieve the key history, as it has the knowledge of the key history for the CA it is designed for.

Customers can retrieve keys stored in a certificate authority that were issued outside of ActivID CMS and inject them into a smart card. This enables the end user to have their key history available for decryption.

Retrieving a certificate from a key history requires a minimum set of parameters. Key history recovery relies on credential profiles specially designed for this operation.

Since key history recovery relies on credential profiles, it can be performed in any issuance workflow:

  • Initial issuance

  • Replacement

  • Applications update

  • Re-issuance

Configuring Application Recovery Mode

In addition to the usual application recovery mode, you can select the “CA Managed” recovery mode in the application configuration screen.

For the "CA Managed" mode, the credential provider generates a credential profile template with ExternalKeyRecovery usage information for each Entrust certificate definition having the "Key backup" property (for example, ct_piv_user:PivEnc). The "CA Managed” mode is available if there is at least one such profile template.

Note: When the usage information is absent or set to a value other than ExternalKeyRecovery, then the application configuration screen is unchanged. Select the required template from the list.

Depending on the provisioning method selected, see the following respective sections.

The list of templates does NOT contain the templates with the “usage” set to ExternalKeyRecovery.

For information on how to set the application information, refer to Configuring a PKI Application Using an Entrust Authority CA.

  1. If you select Recover Credential for the Provisioning Method option, the Recovery Mode options become available.

    Note: Selecting the Recover Credential option is the equivalent of setting the former Recover Application option (available in previous ActivID CMS versions) to Yes.

  2. Select and configure one of the following modes according to the location of the credential In the context of ActivID, a credential is a collection of one or more credential elements that together provide some form of digitally provable identity. In the context of PIV, a credential refers to the completed PIV card itself. to recover:

    Note:

    • To avoid any inconsistent behavior, do not mix “ActivID CMS Managed” and “CA Managed” applications from the same CA in the same device policy.

    • If you select Recover Credential, but the usage information is absent or set to a value other than ExternalKeyRecover in the templates, then the “CA Managed” recovery option is not displayed.

    • ActivID CMS Managed

      This is the usual ActivID CMS recovery mode (for standard replacement, applications update and re-issuance operations) where the credential to recover is present in the ActivID CMS system.

      • Application to Recover drop-down list—Select the application you want to recover from the original device (this means that credentials on this PKI slot contain a certificate template that escrows credentials).

      • Revoke for Replacement option—Select this option if you want to revoke credentials when a device replacement request is executed.

      Note: The ActivID CMS Managed option is not available for mobile app certificate device policies.

    • Shared Encryption Credential

      This is the mode where the key of the credential to recover, already issued to the same user, has been archived by ActivID CMS on the Certificate Authority.

      • Index in History drop-down list—Select number indicating position of credential to recover in the list of shared encryption credentials available (newest item is at position 1).

      Note:

      • The Shared Encryption Credential option is the only recovery mode supported for mobile app certificate device policies.

      • Currently, when using mobile app certificates, you can only recover the latest shared encryption credential on mobile devices.

    • CA Managed

      This is the mode where the credential to recover is NOT present in the ActivID CMS system but is on an external CA. The selected certificate authority must provide at least one credential profile template with the “usage” information set to “ExternalKeyRecovery”.

      The list of templates contains the templates with the “usage” set to ExternalKeyRecovery.

  3. Set the Revocation Settings — By default, the credentials are revoked for all the listed states of the device (terminated, damaged, expired, updated, re-issued). You can clear the check box(es) to indicate any state(s) for which you do not want to revoke the credentials. For example, if you clear the Damaged check box, the credentials in a device in the Damaged state will not be revoked.

  4. Click Submit.

New Credential Profile Templates

You must configure a new credential profile template per encryption template for the Entrust credential provider.

The new templates have the “usage” set to ExternalKeyRecovery. Thus, the new templates are available only when you select the option CA Managed.

Each new template has the same name as the related encryption template, but each has specific parameters for external key recovery, as illustrated below:

  • Certificate Type: the type of certificate to recover, given by the template.

  • History Index: an integer representing the position (starting at 1) of the certificate to recover in the list of all certificates present in the user key history having the same type as specified above. The list is ordered by certificate serial number. Sort order is defined with the parameter below.

  • History Sort Order: the sort order for the list of certificates. You can select either Newer First (the most recent certificate appears at the beginning of the list) or Older First (the oldest certificate appears at the beginning of the list).

As an example, a new ct_piv_user:PivEnc credential profile template with “usage” information set to “ExternalKeyRecovery“ is available that is intended to recover a PivEnc certificate managed on the CA.

Any certificate recovered with such a credential profile is automatically revoked when necessary. This ensures that only one PIV Personal Identity Verification (technical standard of "HSPD-12") credential of this type is active at any time, as required by PIV specifications.

One Device Policy For All Use Cases

For key history recovery, the purpose is to extract all certificates of a given type from the list for the user being issued the device. The certificates are sorted according to their serial number (ascending or descending, depending on a configuration parameter), and the one at a given index (numbering starts at 1) is selected.

To retrieve the entire history of encryption keys in the same card, you can define one single device policy with a maximum number of PKI encryption applications configured for key history recovery.

  • Thus, the key history can be retrieved for a user disregarding the number of encryption certificates the user actually has, as well as their current status (Active, Revoked, or Expired).

Note: You can retrieve the entire history of encryption keys in the same card if one single device policy with a maximum number of PKI encryption applications is configured for key history recovery. The state that the smart card is in (for example, initial issuance, replacement, applications updates, or re-issuance) does not impact the process.

You can define the PKI encryption applications of this device policy as follows:

  • PIV_ENCRYPTION: new certificate using ct_piv_user:PivEnc credential profile template (as usual).

  • PIV_Key_Management_Key_History_1: “Recover / CA managed” using ct_piv_user:PivEnc CA Managed credential profile:

    • Certificate Type: ct_piv_user

    • Index in History: 1

    • History Sort Order: Newer First

  • PIV_Key_Management_Key_History_2: “Recover / CA managed” using ct_piv_user:PivEnc CA Managed credential profile:

    • Certificate Type: ct_piv_user

    • Index in History: 2

    • History Sort Order: Newer First

You must define each of the PIV key history PKI applications with the same values and in the same way, but with different index positions.

If the index in history is out of bounds, the credential provider ignores the credential creation request. The related application is not personalized.

You must configure these PKI applications with the CA Managed option only. Once a card is issued with this device policy, all the user encryption certificates are stored in the ActivID CMS database, and you can recover them in the “standard” way, if necessary.