Overview

If you have Key Archival enabled then you can recover private keys. If you don’t have Key Archival enabled then click here for instructions.

In this post, I’ll demonstrate how to recover a lost private key

How to recover a lost private key

You need to be logged in with one of your Key Recovery Agents that you specified when you configured Key Archival.

Firstly, locate your certificate in the Issued Certificates section using the CA snap-in:

You then need to get the serial number so you can just double click it, go to details and select Serial Number:

Remove the spaces from the Serial Number:

1a00000042af62922b38431f48000100000042

Use certutil to get the key:

certutil -getkey 1a00000042af62922b38431f48000100000042 C:Tempkey.key

You then use certutil again to recover the private key:

certutil -recoverkey C:Tempkey.key c:tempcert.pfx

You now have a .pfx file and you can import this back onto your client using certmgr.msc