2.2.3.1 Key Recovery Certificate

A CA MAY use one or more locally configured and specified key recovery keys to encrypt the private key of a client, which is submitted to the CA encapsulated in a certificate enrollment request.

A key recovery certificate MUST contain the following fields and extensions identified in [RFC3280]:

• Version

• Serial Number

• Signature

• notBefore

• notAfter

• Subject

• Issuer

• Subject Public Key Info

• Authority Key Identifier

• Subject Key Identifier

• Authority Information Access

• Key Usage (Key Encipherment = 0x20)

• CDP (CRL Distribution Point)

• Extended Key Usage (Key Recovery OID = szOID_KP_KEY_RECOVERY_AGENT (1.3.6.1.4.1.311.21.6)).<19>