Restore Private Key Archived with ADCS

Recover a private key from Active Directory Certificate Services.

John Savill

September 10, 2014

1 Min Read
lock

Q: How do I restore an archived private key in Active Directory Certificate Services?

A: If a private key for a certificate has been archived, the key can be recovered by the user who has the Key Recovery Agent certificate. However, you must know the serial number of the certificate, which you can find by viewing the properties of the certificate for which you need to restore the private key. The serial number can be found in the Details tab.

The serial number is used for the actual private key recovery, as you can see in the following code, which first creates a BLOB of the certificate and then extracts the private key from it to a pfx file. This file will prompt you for a password to protect the pfx:

>certutil -getkey  outputcertRecovery blobs retrieved: 1Recovery Candidates: 1Retrieved key files:outputcertCertUtil: -GetKey command completed successfully.>certutil -recoverkey outputcert2 serv101.pfxEnter new password:Confirm new password:Recovered key files:serv101.pfxCertUtil: -RecoverKey command completed successfully.>dir *.pfxVolume in drive C has no label.Volume Serial Number is DC4F-0090Directory of C:Windowssystem3208/30/2014 02:20 PM 4,126 serv101.pfx1 File(s) 4,126 bytes0 Dir(s) 25,762,107,392 bytes free

About the Author

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like