Understanding legacy key encryption

SCM legacy key encryption is used to store the encrypted private keys of client certificates managed in SCM. Once stored, these private keys can be recovered by appropriately privileged administrators.

If legacy key encryption has been configured for an organization or department, client certificates cannot be issued until the encryption keys have been created at applicable levels. The levels of encryption for certificate private keys are as follows:

Master — When Allow Key Recovery by Master Administrators is configured for an organization or department, a master key pair must be created on the Legacy Key Encryption page. There can only be one master key pair for the account.
Organization — When Allow Key Recovery by Organization Administrators is configured for an organization, an organization key pair must be created on the Legacy Key Encryption page. One organization key pair must be created for each organization configured for legacy key encryption.
Department — When Allow Key Recovery by Department Administrators is configured for a department, a department key pair must be created on the Legacy Key Encryption page. One department key pair must be created for each department configured for legacy key encryption.

Once an encryption key pair is created, the public key is stored in SCM. The private key should be stored in a secure location and shared with any administrator of the appropriate organization or department who is responsible for key recovery. Private keys can be downloaded from the Persons or Client Certificates page.

Retrieving a client certificate private key from secure storage results in the revocation of that certificate, regardless of the administrator’s level.

Administrators can only see the initialization status of the encryption key pair for their own administrative level (Master, Organization, or Department) and for organizations or departments to which they are assigned.

Legacy Key Encryption is only available if enabled for your account. It is suggested that you use Sectigo Key Vault for key storage. For more information on legacy key encryption, contact your Sectigo account manager.

Legacy key encryption master keys can be managed on the Settings Legacy Key Encryption page.

The following table describes the settings and controls of the Legacy Key Encryption page.

Column	Description
Scope	The hierarchical level of the encryption key pair. The possible values are: Master Organization Department
Name	The name of the associated organization or department.
Status	The status of the encryption key pair. The possible values are: Not Initialized — The encryption key pair has not been created and the organization or department cannot issue client certificates. Public key is loaded — The encryption key pair has been created and stored certificates are encrypted with the public key.
Table controls
Refresh	Refreshes the information presented in the table.
Admin controls
Initialize Encryption	Opens the Legacy Key Encryption dialog where you can create the encryption key pair.
Re-Encrypt	Opens the Please enter Master private key dialog where you can re-encrypt all stored private keys with a new encryption key pair.

Column

Description

Scope

The hierarchical level of the encryption key pair.

The possible values are:

Master
Organization
Department

Name

The name of the associated organization or department.

Status

The status of the encryption key pair.

The possible values are:

Not Initialized — The encryption key pair has not been created and the organization or department cannot issue client certificates.
Public key is loaded — The encryption key pair has been created and stored certificates are encrypted with the public key.

Table controls

Refresh

Refreshes the information presented in the table.

Admin controls

Initialize Encryption

Opens the Legacy Key Encryption dialog where you can create the encryption key pair.

Re-Encrypt

Opens the Please enter Master private key dialog where you can re-encrypt all stored private keys with a new encryption key pair.