If I have two issuing certificate authorities, should I generate two certificates for Key Recovery Agent one from CA1 and then go to CA2 and generate a second one there, and load the first cert on server 1 and the second on server 2 or should I just use one Key Recovery Agent certificate on both CAs

Hi, technically you can use one KRA for both CAs. If the CAs have different policies, e.g. one is a medium assurance CA and the other one a low assurance then you should have different KRAs. I create all the time two KRAs per CA, and i keep the PFX files and the password for backup reasons in different places. That way I have better chances if one KRA get lost or the password is lost. Regards, Lutz

Hi, technically you can use one KRA for both CAs. If the CAs have different policies, e.g. one is a medium assurance CA and the other one a low assurance then you should have different KRAs. I create all the time two KRAs per CA, and i keep the PFX files and the password for backup reasons in different places. That way I have better chances if one KRA get lost or the password is lost. Regards, Lutz