Breadcrumbs

Perform Key Recovery

You can recover archived keys. To perform a key recovery:

  1. Open the command prompt and run the certsrv.msc command.

  2. In the console tree, double-click Certificate Authority, and then click Issued Certificates.

  3. Select View and select Add/Remove Columns.

  4. In Add/Remove Columns within the Available Column, select Archived Key, and then click Add. Archived Key should now appear in Displayed Columns.

image-20250805-083832.png



"Archived Key" Window

  1. Click OK, and then in the details pane, scroll to the right and confirm that the last issued certificate to UserKeyArchival has a Yes value in the Archived Key column.

A certificate template must have been modified so that the Archive bit and Mark Private Key as Exportable attributes were enabled. The private key is only recoverable if there is data in the Archived Key column.

  1. Double-click the Archive User certificate.

  2. Select the Details tab and write down the serial number of the certificate.

  3. Click OK.

  4. Close the Certification Authority.

  5. Recover the private key into output file, open the command prompt and run the command below.

›_ Console

 
> certutil -getkey <serialnumber> output

  1. Recover the certificate, open the command prompt, and run the command below.

›_ Console

 
> certutil -recoverkey output user.pfx

If you are using smartcard authentication, the prompt will appear on the PIN Pad device to insert the smartcard and enter the PIN. Then, press the OK button on the PIN Pad.

  1. When prompted, enter the following information:

Enter new password: password

Confirm new password: password

  1. Type exit, and then press ENTER.

  2. Close all windows and log off as the current user.

  3. Import the recovered private key/certificate.

    1. Open the command prompt and run the certmgr.msc command.

    2. Right-click Certificates (Current User), and then select Find Certificates.

    3. In Find Certificates, under Contain, type the CA Name and then click Find Now.

    4. In Find Certificates, on the Edit menu, click Select All.

    5. In Find Certificates, on the File menu, click Delete.

    6. In Certificates, click YES.

    7. Close Find Certificates.

  4. Import the certificate at c:\user.pfx and let the certificates be placed by the system.

    1. In the console tree, right-click Personal and then select All Tasks, and then click Import.

    2. In the Certificate Import Wizard, click Next.

    3. In the Files to Import, in the File name box, type c:\user.pfx and then click Next.

    4. In Password, type the password and then click Next.

    5. In Certificate Store, select Automatically select the certificate store based on the type of certificate, and then click Next.

    6. In the Completing the Certificate Import Wizard, click Finish.

  5. Verify the serial number of the imported certificate.

    1. In the console tree, double-click Personal and then click Certificates.

    2. Double-click the certificate.

    3. In Certificate, go to the Details tab. Verify that the serial number matches the original.