One Key Recovery Agent certificate or two?
If I have two issuing certificate authorities, should I generate two certificates for Key Recovery Agent one from CA1 and then go to CA2 and generate a second one there, and load the first cert on server 1 and the second on server 2 or should I just use
one Key Recovery Agent certificate on both CAs
August 22nd, 2012 5:37pm
Hi,
technically you can use one KRA for both CAs. If the CAs have different policies, e.g. one is a medium assurance CA and the other one a low assurance then you should have different KRAs. I create all the time two KRAs per CA, and i keep the PFX files and
the password for backup reasons in different places. That way I have better chances if one KRA get lost or the password is lost.
Regards,
Lutz
Free Windows Admin Tool Kit Click here and download it now
August 22nd, 2012 6:12pm
Hi,
technically you can use one KRA for both CAs. If the CAs have different policies, e.g. one is a medium assurance CA and the other one a low assurance then you should have different KRAs. I create all the time two KRAs per CA, and i keep the PFX files and
the password for backup reasons in different places. That way I have better chances if one KRA get lost or the password is lost.
Regards,
Lutz
August 22nd, 2012 6:20pm