All organizations created in the CM prior to 8 March 2011 have key escrow enabled by default. The only way to change this is to create a new organization instance in the CM.
If your institution subscribed to the InCommon Certificate Service after 8 March 2011, then key escrow was not enabled by default. If your institution subscribed to the InCommon Certificate Service prior to 8 March 2011, it is highly likely that your organization was created in the CM prior to that date. In particular, if your organization began issuing SSL certificates prior to 8 March 2011, then your organization has key escrow enabled.
InCommon made the decision about key escrow many months in advance of deploying client certificates, when SSL was the only service in operation and the key escrow functionality in the CM was still in its infancy. Since we didn't want to disable potentially useful functionality for an entire organization's life cycle, we chose to enable escrow for all organizations. This policy was changed on 8 March 2011.
Enabling or disabling key escrow for organizations or departments has the following consequences:
- As an RAO/DRAO using the web-based Certificate Services Manager
- Via CSV upload [Note: the invitation sent by email contains a link to download the certificate. As of 10/13/2011, the links don't work. A bug report has been filed.]
- Via web-based Enrollment form
- Via the API
- Via Active Directory linkage
- (for non-escrowed organizations or departments)
These methods are described in the Administrator Guide.