Configuring Key Archival and Recovery ProcessChapter 22 Setting Up Key Archival and Recovery 753Otherwise, follow the instructions in “Setting Up Trusted Managers” on page 413and set up the enrollment authority as a trusted front end to the Data RecoveryManager.Step C. Customize the Certificate Enrollment FormFor the enrollment authority to automatically initiate the key archival process atthe time key pairs are generated, a certificate request must include the followinginformation:• The key archival option—this must be included in the certificate enrollmentform that your users use to request certificates.• The Data Recovery Manager’s transport certificate—this must also be includedin the certificate enrollment form. The Data Recovery Manager uses it toencrypt the user’s encryption private key with the public key in the transportcertificate before sending the user’s key to its key repository. For informationabout the key repository, see “Where the Keys are Stored” on page 738.Make sure that the transport certificate, in its base-64 encoded format, isembedded in the form. Otherwise, the Data Recovery Manager will fail toarchive users’ keys.All the end user enrollment forms provided by Certificate ManagementSystem—for example, the directory-based enrollment form(DirUserEnroll.html), directory- and PIN-based enrollment form(DirPinUserEnroll.html), and manual enrollment form(ManUserEnroll.html)—contain the necessary JavaScript code for initiating thekey archival process. If you are using any of these forms for end-user enrollment,make sure to update the generateCRMFRequest() JavaScript method. If you planto use custom enrollment forms for users, be sure to include the required JavaScriptcode in those forms.Figure 22-3 shows the default directory-based enrollment form with theinformation related to the generateCRMFRequest() JavaScript methodhighlighted. Note that the JavaScript method includes parameters for specifyingvarious things. You are required to update the following information only:• The Data Recovery Manager’s transport certificate.• The algorithm, length, type, and usage for end users’ key pairs. When youupdate this information, the key archival option is automatically set. Forinformation on specifying the key type, length, and algorithm, seegenerateCRMFRequest() in Javascript API for Client Certificate Management.This document is located where you extracted Personal Security Manager filesafter downloading it from the web site.