Understanding Sectigo Key Vault

Sectigo Key Vault is used to store private keys of client certificates managed by SCM and allows for later retrieval by authorized users and administrators.

When configured, client certificate private keys can be stored in the key vault through the following methods:

Client Certificate Web Form enrollment — When a client certificate is enrolled through a client certificate web form using server-side CSR generation, the private key is automatically stored in the key vault.
MS agent enrollment — When a client certificate is enrolled through the MS agent, and the MS template has been configured for key archiving, the private key is automatically stored in the key vault.
SCM REST API — Existing client certificate private keys can be uploaded in .p12 format to the key vault through the SCM REST API. If the certificate does not exist in SCM already, it will be added. Otherwise, the existing certificate will be updated with the private key stored in the key vault.

Keys can be recovered in the following ways:

SCM — An SCM administrator with the Allow download keys from Key Vault privilege can recover keys through the Persons or Client Certificates page.
Private Key Recovery Form — External users can recover their private keys through the Private Key Recovery Form. This form is accessed through a Key Vault UI URL specific to your company. You can find this URL on the About page in SCM, and it must be communicated to the user.

Sectigo Key Vault is only available if enabled for your account. For more information, contact your Sectigo account manager.

Sectigo Key Vault can be managed on the Key Vault page.

The following table describes the controls on the Key Vault page.

Control	Description
Recovery Method	The method used to recover keys from the Sectigo Key Vault.
Digitally Sign iOS Mobile Config	Indicates whether or not the mobile configuration file is to be digitally signed.
Subject	The subject of the signing certificate.
Issuer	The issuer of the signing certificate.
Serial Number	The serial number of the signing certificate.
Expires	The expiration date of the signing certificate.
Include Exchange in iOS Mobile Config	Indicates whether or not Microsoft Exchange settings are to be included in the mobile configuration file. When included, the mobile configuration file is applied when the private key is downloaded from the Sectigo Key Vault.
Exchange Server Host Name	The host name or IP address of the Microsoft Exchange server.
Use SSL for Communication	Indicates whether or not SSL is used for communication with the Microsoft Exchange server.
Number of Past Days to Sync	The number of days of mail to sync. Mail received before this number of days in the past will not be synchronized.
Prevent Moving Messages to Another Account	Indicates whether or not messages may not be moved out of the associated email account into another account.
Admin controls
Edit	Opens the Key Vault Recovery Options dialog where you can manage the method used to recover keys from the Sectigo Key Vault.

Control

Description

Recovery Method

The method used to recover keys from the Sectigo Key Vault.

Digitally Sign iOS Mobile Config

Indicates whether or not the mobile configuration file is to be digitally signed.

Subject

The subject of the signing certificate.

Issuer

The issuer of the signing certificate.

Serial Number

The serial number of the signing certificate.

Expires

The expiration date of the signing certificate.

Include Exchange in iOS Mobile Config

Indicates whether or not Microsoft Exchange settings are to be included in the mobile configuration file.

When included, the mobile configuration file is applied when the private key is downloaded from the Sectigo Key Vault.

Exchange Server Host Name

The host name or IP address of the Microsoft Exchange server.

Use SSL for Communication

Indicates whether or not SSL is used for communication with the Microsoft Exchange server.

Number of Past Days to Sync

The number of days of mail to sync. Mail received before this number of days in the past will not be synchronized.

Prevent Moving Messages to Another Account

Indicates whether or not messages may not be moved out of the associated email account into another account.

Admin controls

Edit

Opens the Key Vault Recovery Options dialog where you can manage the method used to recover keys from the Sectigo Key Vault.