- The decision whether to enable or disable key escrow for an organization (resp., department) is made when the organization (resp., department) is created. The decision regarding key escrow is final and cannot be subsequently modified.
- If key escrow is enabled for an organization, client certificates can not be issued until a RAO initializes the key escrow database for the organization. The importance of this one-time operation can not be overemphasized.
- As RAOs create new departments, an independent decision is made whether or not to enable key escrow for the department. If key escrow is enabled for the department, client certificates can not be issued until a DRAO initializes the key escrow database for that department. The initialization process for the department is exactly the same—and same--and just as important—as important--as it is for the organization.
- As an RAO/DRAO using the web-based Certificate Services Manager
Via CSV upload \[Note: the invitation sent by email contains a link to download the certificate. As of 10/13/2011, the links don't work. A bug report has been filed.\]
- Via web-based Enrollment form
- Via the API (for non-escrowed organizations)
These methods are described in the Administrator Guide.