Configuring Key Archival and Recovery Process752 Netscape Certificate Management System Installation and Setup Guide • October 2001Step A. Deploy Clients That Can Generate Dual Key PairsYou can use the Data Recovery Manager to archive and recover keys only fromclients that support dual key-pair generation, the key archival option, and the CMCprotocol. Clients that do not meet this criteria cannot be used with the DataRecovery Manager. To understand why you need to use clients that can generatedual key pairs, see “Clients That Can Generate Dual Key Pairs” on page 736. Thesame section also points you to an introduction to Netscape Personal SecurityManager, which when plugged into Netscape Communicator version 4.7x enablesit to support the CMC protocol and generate dual key pairs.You may have already installed Personal Security Manager—for example, youmight have installed it as an OCSP-compliant client when setting up a CertificateManager to publish CRLs to an OCSP responder; see “Step 2. Install anOCSP-Compliant Client” on page 710.Step B. Connect the Enrollment Authority and the Data RecoveryManagerKey archival occurs when dual key pairs are generated by the client. The clientgenerates the key pairs when a user requests a certificate by filling out theappropriate certificate enrollment form served by an enrollment authority, whichcan be either a Certificate Manager or a Registration Manager. When theenrollment authority detects the key archival option in the request, it initiates thekey archival process and requests the service of the Data Recovery Manager forarchiving the key.For the enrollment authority to be able to request the service of the Data RecoveryManager, the two subsystems must be configured to recognize, trust, andcommunicate with each other. When you installed the Data Recovery Manager,you were asked to connect it to a Certificate Manager or Registration Manager. Youmight have specified some of the configuration information required for the twosubsystems to communicate with each other. Also, if the enrollment authority andthe Data Recovery Manager are installed in the same CMS instance, certainconfigurations are done automatically.However, to ensure that key archival takes place successfully, you must make surethat the Data Recovery Manager is connected to the appropriate enrollmentauthority. Also verify whether the enrollment authority has been set up as aprivileged user, with an appropriate SSL client authentication certificate, in theinternal database of the Data Recovery Manager. By default, the CertificateManager uses its SSL server certificate for SSL client authentication, whereas theRegistration Manager uses its signing certificate for this purpose; for moreinformation, see “Keys and Certificates for the Main Subsystems” on page 436.