How Certificate Management System WorksChapter 1 Overview 49An agent can also revoke a certificate. They might do this if someone leaves thecompany.When the certificate is revoked, it is marked revoked in the internal database, andis marked revoked in the publishing system. The certificate is also added to theCertificate Revocation List (CRL) produced by the Certificate Manager. SeeChapter 14, “Revocation and CRLs” for complete details.Data Recovery ManagerThe Data Recovery Manger is an optional subsystem of CMS that can act as a KeyRecovery Authority. When configured in conjuncture with a Certificate Manageror Registration Manager, the Data Recover Manager stores private encryption keysas part of the certificate enrollment process. The key archival mechanism istriggered when a user enrolls in the PKI and creates the certificate request. Usingthe CRMF request format, the request generates a request for the users privateencryption key. The key is then stored in the Data Recovery Manager. The DataRecovery Manager is configured to store keys in an encrypted format that can onlybe decrypted by several agents requesting the key at one time, providing forprotection of the public encryption keys for the users in your deployment.Note that the Data Recovery Manager archives encryption keys. It does not archivesigning keys, since such archival would undermine nonrepudiation properties ofsigning keys.Key ArchivalIf you have set up a Data Recovery Manager as part of your PKI, the privateencryption key for an end-entity is requested and stored when the enrollmentrequest is made.Key RetrievalIf you have set up a Data Recovery Manager up as part of your PKI, you canretrieve the private encryption keys of your users to decrypt messages or otherdocuments that have been encrypted with the private encryption key. CMSprovides a key retrieval system that can only be activated by several agentsapproving the key retrieval at the same time to offer maximum security of thestored keys.See Chapter 6, “Data Recovery Manager” for complete details.
