First off – you need to be in possession of a KRA cert, this will allow you to recover another user’s pvt key.
Secondly – you need to know what the thumbprint of the corresponding public key is for the pvt key you are trying to retrieve.

On the server which archives the end user’s pvt key (usually the intermediate CA) type the following from an admin cmd prompt:

C:\Windows\system32>certutil -getkey 413d8bc1a32fc9de8eeff83562ce207885267b26 c:\temp\johnblob

Recovery blobs retrieved: 1

Recovery Candidates: 1

Retrieved key files:

 c:\temp\johnblob

CertUtil: -GetKey command completed successfully.

Then from the blob you created you can now recover the pvt key and store it in pfx format to be imported on the end user’s machine.

C:\Windows\system32>certutil -recoverkey c:\temp\johnblob c:\temp\john.pfx

Enter new password:

Confirm new password:

Recovered key files:

 c:\temp\john.pfx

CertUtil: -RecoverKey command completed successfully.

NOTE:
You cannot recover private keys from the database with a KRA certificate which was not part of the CA configuration when a private keys were archived.

For more insight please goto:
http://blogs.technet.com/b/pki/archive/2009/08/07/understanding-key-archival.aspx

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s