Configure Key Archiving and Recovery in Certificate Manager

The Key Archiving and Recovery Factory (KARF) is the component of the Certificate Factory (CF) within Smart ID Certificate Manager (CM) responsible for the initial processing of certificate requests where the associated token procedure specifies that key archiving or key recovery actions should be taken.

The configuration of the KAR component is described in kar.conf. KAR related configuration also exists in cm.conf and modules.conf. See the Technical Description for more details.

Keys are referred to by their label in kar.conf. If you use an RSA key pair for key archiving, use the label of the public key. To look up the label of a key, use the hwsetup -list tool. For more information, see List slot contents.

Issue KEK certificates

Each asymmetric key-encryption key (KEK) must have a valid certificate, to ensure that the public key part is intact when using it during key archiving. When using an HSM to store the key encryption key, do the following to issue a certificate for either a new or an existing KEK:

Run hwsetup to either generate a key pair (see Generate DSA/EC/RSA key pair), or to find an existing key in the HSM (see List slot contents).
Run hwsetup to create a PKCS #10 request based on the selected key pair (see Generate PKCS #10 certificate request).
Use RA to issue a certificate to a file, kek.crt, based on the PKCS #10 request.
Run hwsetup to store the certificate in HSM (see Install certificate).