Key pairs are used in a range of functions. With most PKI implementations, only single key pairs are used. Sometimes a CA needs to generate multiple key pairs in situations where backup private keys are required but the possibility of a forged digital signature is acknowledged.
For example, if someone is the backup operator, that person is responsible for the backup of all data, including the user's private keys. If that individual has any grievances they could use a private key to forge a signature for personal gain. The recipient of that signature, say the CFO, would have no reason to distrust the message and its content.
To avoid scenarios such as this, many public key infrastructures support the use of dual keys. In the example above, the CFO has two separate key pairs. The first key pair is used for authentication or encryption, while the second key pair is used for digital signatures.
The private key used for authentication and encryption can still be backed up for safekeeping. The second private key would never be backed up and would not provide the security loophole that using single keys creates. The CFO could continue using his second private key for signing emails without fear of the key being misused.
