Scenario 4: Allow users to recover a PKI generated key certificate when the passphrase is lost

To recover a certificate for which PKI Services generated the keys, the user must provide the passphrase that was provided when the certificate was requested. This scenario illustrates how PKI Services can recover lost passphrases for PKI generated key certificates. To be able to recover a lost passphrase, the user must provide answers to security questions in addition to the passphrase when the user initially requests the PKI generated key certificate. PKI Services saves the passphrase and the answers to the security questions in a passphrase mapping database. To recover the lost passphrase, the user provides the answers to the security questions through the PKI Services web page. PKI Services searches the passphrase mapping database, and if the security answers match those provided by the user when the certificate was requested, the passphrase is returned to the CGI. The recovered passphrase is then used to retrieve the PKI generated key certificate.

Two exit routine calls are required:

When the user requests the PKI generated key certificate, the preprocessing exit routine for the GENCERT and REQCERT functions (subroutine preProcessGenReqCertExit) collects the requestor name, the passphrase, and the answers to the security questions from the exit routine's parameter list. The exit routine records the information as an entry in a passphrase mapping database.
When the user attempts to recover the PKI generated key certificate, the preprocessing exit routine for the QRECOVER function (subroutine preProcessQRecoverExit) collects the requestor name and the answers to the security questions from the exit routine's parameter list. The exit routine then searches the passphrase mapping database for entries that match the requestor name and the security answers provided by the user. If a match is found, the passphrase recorded in that entry is returned to the CGI through STDOUT.