Restore Private Key Archived with ADCS

Q: How do I restore an archived private key in Active Directory Certificate Services?

A: If a private key for a certificate has been archived, the key can be recovered by the user who has the Key Recovery Agent certificate. However, you must know the serial number of the certificate, which you can find by viewing the properties of the certificate for which you need to restore the private key. The serial number can be found in the Details tab.

The serial number is used for the actual private key recovery, as you can see in the following code, which first creates a BLOB of the certificate and then extracts the private key from it to a pfx file. This file will prompt you for a password to protect the pfx:

>certutil -getkey <serial number of certificate> outputcert
Recovery blobs retrieved: 1
Recovery Candidates: 1

Retrieved key files:

CertUtil: -GetKey command completed successfully.

>certutil -recoverkey outputcert2 serv101.pfx
Enter new password:
Confirm new password:

Recovered key files:
CertUtil: -RecoverKey command completed successfully.

>dir *.pfx
Volume in drive C has no label.
Volume Serial Number is DC4F-0090

Directory of C:\Windows\system32

08/30/2014 02:20 PM 4,126 serv101.pfx
1 File(s) 4,126 bytes
0 Dir(s) 25,762,107,392 bytes free
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.