First off – you need to be in possession of a KRA cert, this will allow you to recover another user’s pvt key.
Secondly – you need to know what the thumbprint of the corresponding public key is for the pvt key you are trying to retrieve.
On the server which archives the end user’s pvt key (usually the intermediate CA) type the following from an admin cmd prompt:
C:\Windows\system32>certutil -getkey 413d8bc1a32fc9de8eeff83562ce207885267b26 c:\temp\johnblob
Recovery blobs retrieved: 1
Recovery Candidates: 1
Retrieved key files:
CertUtil: -GetKey command completed successfully.
Then from the blob you created you can now recover the pvt key and store it in pfx format to be imported on the end user’s machine.
C:\Windows\system32>certutil -recoverkey c:\temp\johnblob c:\temp\john.pfx
Enter new password:
Confirm new password:
Recovered key files:
CertUtil: -RecoverKey command completed successfully.
You cannot recover private keys from the database with a KRA certificate which was not part of the CA configuration when a private keys were archived.
For more insight please goto: