Set-up Emergency Use Admin Accounts
ADSS Server supports standard TLS client authentication of operators (with the certificate/private key being held on a smartcard, USB token or software file). It is recommended to use the ADSS internal CA module to create admin PFX files for TLS client login for emergency use. There should be an emergency admin account registered with this emergency PFX. The PFX file can be held in software on a standard memory stick, alternatively inserted into a crypto USB Token or a smartcard can also be used. ADSS Server Key Manager can generate keys directly within these tokens too.
The emergency token should be stored in a secure location and have appropriate usage procedures defined. Multiple emergency PFXs can be created and stored in the same way. It is recommended that the emergency use administrator certificate is created with a relatively longer validity period and its expiry is noted and monitored for renewal. If somehow all the normal operator certificates (based on the production system) become invalid, this emergency token will still work and can be used to set-up new normal operator certificates on the production system. Adding new operator account and certificates is described here and generating new keys and certificates on software and smart cards is explained here.
See also