Q: How do I restore an archived private key in Active Directory Certificate Services?
A: If a private key for a certificate has been archived, the key can be recovered by the user who has the Key Recovery Agent certificate. However, you must know the serial number of the certificate, which you can find by viewing the properties of the certificate for which you need to restore the private key. The serial number can be found in the Details tab.
The serial number is used for the actual private key recovery, as you can see in the following code, which first creates a BLOB of the certificate and then extracts the private key from it to a pfx file. This file will prompt you for a password to protect the pfx:
>certutil -getkey <serial number of certificate> outputcert Recovery blobs retrieved: 1 Recovery Candidates: 1 Retrieved key files: outputcert CertUtil: -GetKey command completed successfully. >certutil -recoverkey outputcert2 serv101.pfx Enter new password: Confirm new password: Recovered key files: serv101.pfx CertUtil: -RecoverKey command completed successfully. >dir *.pfx Volume in drive C has no label. Volume Serial Number is DC4F-0090 Directory of C:\Windows\system32 08/30/2014 02:20 PM 4,126 serv101.pfx 1 File(s) 4,126 bytes 0 Dir(s) 25,762,107,392 bytes free