Performing a key recovery

This section describes how to recover archived keys by performing a key recovery.

To perform a key recovery

Log on to the system as Domain Administrator and ensure that the private key is still recoverable by viewing the Archived Key column in the Certification Authority console.
1. Log on as Domain Administrator.
2. From Administrative Tools, open Certification Authority.
3. In the console tree, double-click CA, and then select Issued Certificates.
4. From the View menu, select Add/Remove Columns.
5. In Add/Remove Columns, in Available Column, select Archived Key and Add. ArchivedKey should now appear in Displayed Columns.
6. Select OK and then, in the details pane, scroll to the right and confirm that the last issued certificate to UserKeyArchival has a Yes value in the Archived Key column.
  
  Note
  
  A certificate template must have been modified so that the Archive bit and Mark Private Key as Exportable attributes were enabled. The private key is only recoverable if there is data in the Archived Key column.
7. Double-click the Archive User certificate.
8. Select the Details tab.
  
  Write down the serial number of the certificate. (Do not include spacing between digit pairs.) This is required for recovery.
  
  The serial number is a hexadecimal string which is 20 characters long. The serial number of the private key is the same as the serial number of the certificate. For the purpose of this walkthrough, the serial number will be referred to as serialnumber.
9. Select OK.
10. Close Certification Authority.
Recover the private key into a BLOB output file by using certutil.exe.
1. On the taskbar, select the Start > Run. Enter cmd and select OK to open command prompt window.
2. Enter cd \ and then press ENTER.
3. Ensure that you are in the c:\ directory.
4. At the command prompt, type:
```
Certutil -getkey serialnumber outputblob
```
5. At the command prompt, type
```
dir outputblob
```
  Note
  
  If the file outputblob does not exist, you probably typed the serial number incorrectly for the certificate.
  
  The outputblob file is a PKCS #7 file containing the KRA certificates and the user certificate and chain. The inner content is an encrypted PKCS#7 containing the private key (encrypted by the KRA certificates).
Recover the original private/public key pair using Certutil.exe
1. On the taskbar, select Start > Run. Enter cmd and select OK to open a command prompt window.
2. At the command prompt, type:
```
Certutil -recoverkey outputblob user.pfx
```
3. When prompted, enter the following information:
  
  Enter new password: password
  
  Confirm new password: password
4. Enter exit, and then press ENTER.
5. Close all windows and log off as the current user.
Import the recovered private key/certificate.
1. At the command prompt, enter certmgr.msc
2. Right-click Certificates (Current User), and then select Find Certificates.
3. In Find Certificates, under Contains, enter CA Name and then select Find Now.
4. In Find Certificates, on the Edit menu, select Select All.
5. In Find Certificates, on the File menu, select Delete.
6. In Certificates, select Yes.
7. Close Find Certificates.
Import the certificate at c:\user.pfx and let the certificates be placed by the system.
1. In the console tree, right-click Personal and then select All Tasks and Import.
2. In the Certificate Import Wizard, select Next.
3. On Files to Import, in the File name box, enter c:\user.pfx, and then select Next.
4. In Password, enter password and then select Next.
5. On Certificate Store, select Automatically select the certificate store based on the type of certificate and Next.
6. On Completing the Certificate Import Wizard, select Finish.
Verify the serial number of the imported certificate.
1. In the console tree, double-click Personal and then select Certificates.
2. Double-click certificate.
3. In Certificate, go to the Details tab and verify that the serial number matches the original.

Suggest A Change

Performing a key recovery

To perform a key recovery

On this page