A disclosed method includes operations of a control computer and interceptor computer. The control computer creates a certificate request and sends it to a certificate issuer, the certificate request created with an encrypted blob including a service private key S-PrK encrypted with an escrow server public key E-PuK. The control computer receives the certificate from the certificate issuer and provisions it to the service server along with S-PRK for use in secured communications with clients. The interceptor computer monitors session-establishment communications, e.g. a TLS handshake, between the service server and client to obtain the digital certificate, and retrieves the encrypted blob from the certificate and sends it to the escrow server. The escrow computer retrieves S-PrK by decrypting the encrypted blob using the escrow private key E-PrK, and returns S-PrK to the interceptor, where it is used to decrypt secure-session communications between the client and service server.