The KeyServer installer is also used when creating KeyShadows - but these installations must use copies of a "shadow.lic" license certificate, which has been created within KeyConfigure while connected to the main KeyServer, instead of the "server.lic" which is used only on the KeyServer host.
In order to prevent duplicated copies of the KeyShadow software from running on unauthorized computers, the shadow installation can be protected by a "shadow password" which must be entered when the KeyShadow process is launched for the first time on a new host computer (as explained in the KeyShadow installation instructions). You have the option of specifying this password or creating a certificate that does not require a password. Once a shadow has successfully connected to the KeyServer, it will appear in the Shadows window where its status is shown.
To create a shadow.lic, select Create Shadow Certificate from the Config Menu. For most purposes, it is best to enter the same DNS value that you have specified in the KeyAccess client configuration. Whenever a client connects to a KeyShadow for any reason, the client will adopt the KeyServer address from the shadow.lic and use it to replace the "KeyServer Address:" value specified in the KeyAccess logon configuration. Keeping these address specification exactly the same will avoid surprises in the future (as explained below).
Depending on how your DNS server is configured, the "address" might be the DNS name for the KeyServer host computer itself or perhaps a DNS alias for the KeyServer service (thus giving greatest flexibility – if the KeyServer ever needs to be moved to a new host, simply change the alias).
Years ago, when DNS servers were less reliable, it was common to configure the shadow.lic with the actual ip address of the KeyServer host or a combination of the host name and ip address. These options are still available as radio buttons, but now they are rarely needed. And, whenever a client has gotten service from a KeyShadow, using these radio button options will cause any DNS value, formerly specified as the KeyAccess logon address, to be overwritten with an ip address. Then if you ever need to direct clients to a new KeyServer host address in the future, it will no longer be a simple matter of re-configuring your DNS server with a new ip resolution for the KeyServer name.