In the section about Key Recovery in the EJBCA documentation, we should add a subsection about delegated key recovery, how to set it up and the meaning of the settings in System Configuration.

It should also say something about the security. With local key generation, the keys are stored in the RA's database and are encrypted with a crypto token (e.g. an HSM) in the RA, so the key material inaccessible to the operators of the CA (as long as they are restricted from logging in to the RA). The certificates and end-entities, however, are stored in the CA and can be managed (e.g. revoked) from there.

The settings are basically:

• Local Key Recovery: Should be enabled on the RA, for delegated key recovery to work. (this is why the option is called "local")
• Crypto Token for local key recovery: Must be selected.
• Key alias: Must be selected

The section should perhaps also say something about which access rules are needed. For instance:

• key recovery has it's own access rule as well as one that needs to be set on the end entity profile
• approving a key recovery request requires the "approve_caaction" access rule
• both the admin and the peer connector role need to have these permissions