Recover User keypair

Enabling KRS (Key Recovery Service) while creating a certificate profile allows users to recover the keypair for the certificates. This is a useful feature for organizations that need to be able to recover the keypair for their certificates in the event of a disaster or other incident.


When Is KRS Enabled is selected in the certificate profile, officers can recover keys using two different modes for user certificates.

  • PFX with New Password

  • PFX with Old Password.

Select a search criteria from the dropdown box on the left. The following search criteria are available:

  • Serial Number – the serial number of the user certificate

  • Common Name – the common name (CN) of the user certificate

  • Issuer Name – the CN of the issuer (= CA) of the user certificate

  • Status – the state of the certificate

  • Subscriber Id – the subscriber ID used to create the user certificate

For all search criteria, except Issuer Name and Status, enter the search value in the right field. For Issuer Name, a dropdown box with existing CA names is provided.

For Status, the right field changes to the following dropdown box:

After inserting the search value or selecting the status filter, click Search to filter for all matching user certificates.

Here's an example of a filter that specifically applies to the "Active" status:



  • DER-encoded X.509 certificate (.cer)

  • Base64-encoded X.509 certificate (.cer)

  • Cryptographic Message Syntax Standard PKCS#7 certificate (.p7b)

Select the export format of your choice and click Download to start the download of the user certificate. The user certificate will be downloaded to the standard download location of your OS.


By default, "Keystore with new password" will be selected and you will be prompted to insert a new password.

While "Keystore with old password" will not prompt for a new password but will generate the new user certificate with the old password again.

Press "Authenticate" after confirming and using your Officer token.

To generate a new user certificate key, simply click on the "Recover key" button.

Last updated