1.3.2.1 Key Archival
The Windows Client Certificate Enrollment Protocol allows clients to archive (escrow) a private key with a CA. Enterprise key archival policy is communicated by setting the CT_FLAG_REQUIRE_PRIVATE_KEY_ARCHIVAL flag in certificate templates.
The key archival policy serves two functions:
Backup-Protects the private key from loss for the benefit of the keyholder.
Escrow-Prevents the keyholder from keeping the encrypted data secret from the enterprise.
With respect to the first function, key archival policy is allowed. With respect to the second function, key archival policy is required.
The CA's exchange certificate is used to transport the client's private key for archiving.
It is the responsibility of the CA to protect archived private keys from disclosure to unauthorized parties. How that protection is accomplished is up to the implementer of the CA. For more information on security considerations around key archival, see section 5.1.10. For processing rules concerning key archival, see section 3.2.2.6.2.1.2.2.