How to migrate a certificate for email encryption in Outlook if the private key is not available?

Question

How to migrate a certificate for email encryption in Outlook if the private key is not available?

OZ 286

We have users with certificates for encrypting mail in Outlook. The certificate was obtained from an internal certification authority, which is still working. It became necessary to migrate the user to another machine along with the certificate for mail. But it turned out to be impossible to export the certificate together with the private key. Is there a way to transfer the certificate to another machine so that it would be possible to decrypt mail? Or somehow get the private key?

Anonymous

2025-03-07T02:23:58.2466667+00:00

Hello, @OZ

Just checking in to see if above information was helpful.

If the issue has been resolved, please mark the helpful replies as answers.

Best Wishes,

Alex Zhang

Accepted answer

1 additional answer

Your answer

Anonymous

2025-03-07T02:23:58.2466667+00:00

Hello, @OZ

Just checking in to see if above information was helpful.

If the issue has been resolved, please mark the helpful replies as answers.

Best Wishes,

Alex Zhang

Answer 1

Anonymous

Hi,

Welcome to the Microsoft Q&A platform!

You can try the following two ways:

Copy the source key file to a new computer:

Run if you don't know the SID of the user:

$cert = Get-ChildItem Cert:\CurrentUser\My | Where {$_.Subject -match “user name”}
$keyContainer = $cert.PrivateKey.CspKeyContainerInfo.UniqueKeyContainerName

Copy the key file:

$sourcePath = “C:\ProgramData\Microsoft\Crypto\RSA\User SID\$keyContainer”
Copy-Item $sourcePath -Destination “\\\ New Computer\C$\Temp\” -Force

User's image

User's image
Import on new computer

$destPath = “C:\ProgramData\Microsoft\Crypto\RSA\User SID\”
robocopy “C:\Temp” $destPath $keyContainer /SEC

The administrator reissues the exportable certificate through the CA. Copy the existing template in the CA console, check “Allow private key export” in the “Request Processing” tab, and issue a new version of the template.

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

OZ 286 Reputation points

2025-03-03T15:13:31.1166667+00:00

Thank you for a good detailed answer, I'm still in the process. Tell me please, if the private key is marked as not exportable but there is a certification center that issued this key, will I be able to transfer the key to another machine? My goal is for the user to be able to read their emails in Outlook that were encrypted on the old machine after moving to another machine. If I understood correctly, you sent me good instructions for the option when the private key is marked as exportable.
Anonymous

2025-03-04T01:35:37.7166667+00:00

Yes, it would be more convenient to reissue the certificate and set it up to be exportable.
Also, when the certificate is marked as non-exportable private key when it is generated, this means that the private key cannot be exported to a PFX file in the usual way. This is to enhance security and prevent the private key from being copied and used by unauthorized users. The solution I offer is to copy the private key container, which only requires computer administrator privileges.
OZ 286 Reputation points

2025-03-04T16:13:52.9166667+00:00

Thank you, everything became clear. But none of the methods work for me. Let's take it in order. First, I tried the second method. In the Certification Authority, in the properties of the old template, I marked private key as exportable. Then, on the client machine, before exporting, I tried to update the certificate in different ways (as in the picture, with the same key, with a new key) and the private key became exportable. I successfully imported the certificate to the new machine, but the letter is not decrypted. I noticed that whenever I renew the certificate in any way, the certificate thumbprint and the thumbprint in the properties of the sent certified email never match. Somewhere I also read that the private key is stored only on the client from which the request was made and it cannot be requested again from the CA. But it seems to me that I am doing something wrong.
OZ 286 Reputation points

2025-03-04T16:17:26.7366667+00:00

I won't write about the first method, which I also liked, so as not to get confused. I'll write about it later :). The only thing I wanted to draw attention to is that the certificate storage path is in the Roaming folder for me

C:\Users\UserXXX\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-612603907-4119818937-2793598095-49761$keyContainer

OZ 286

Regarding the first option (container export), I divided the script into two parts.

On the source machine I make the code below. As a result, I successfully got the container in the folder C:\Temp

$SID = ([System.Security.Principal.WindowsIdentity]::GetCurrent()).User.Value # current user SID
$USER = ([System.Security.Principal.WindowsIdentity]::GetCurrent()).Name -replace 'MNIVEA\\' # current user Name
$cert = Get-ChildItem Cert:\CurrentUser\My | Where {$_.Subject -match $USER}
$keyContainer = $cert.PrivateKey.CspKeyContainerInfo.UniqueKeyContainerName
$KeyContainerPath = "$ENV:USERPROFILE\AppData\Roaming\Microsoft\Crypto\RSA\$SID\$keyContainer"
New-Item -Path "C:\Temp" -ItemType Directory -Force  
Copy-Item $KeyContainerPath -Destination "C:\Temp" -Force

User's image

On the target machine I successfully import the container. I just want to draw attention to the fact that $keyContainer is empty and I don't understand if it is used in robocopy with the /SEC key. However the container is copied successfully but I don't see the certificate in the snap-in Certificates Personal\Current user. Maybe I'm doing something wrong here too..

$SID = ([System.Security.Principal.WindowsIdentity]::GetCurrent()).User.Value # current user SID
$USER = ([System.Security.Principal.WindowsIdentity]::GetCurrent()).Name -replace 'MNIVEA\\' # current user Name
$cert = Get-ChildItem Cert:\CurrentUser\My | Where {$_.Subject -match $USER}
$keyContainer = $cert.PrivateKey.CspKeyContainerInfo.UniqueKeyContainerName
$KeyContainerPath = "$ENV:USERPROFILE\AppData\Roaming\Microsoft\Crypto\RSA\$SID"
robocopy "C:\Temp" $KeyContainerPath $keyContainer /SEC

User's image

Anonymous

Try the following cmdlet::

#Deploy on new computer
$destPath = “C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-21-UserSID\”
robocopy “C:\Temp” $destPath $keyContainer /COPYALL /SECFIX
#Reset permissions
icacls $destPath$keyContainer /grant “NT AUTHORITY\SYSTEM:(F)”
icacls $destPath$keyContainer /grant “$env:USERDOMAIN\$env:USERNAME:(F)”

OZ 286 Reputation points

2025-03-05T06:36:13.6766667+00:00
Nothing worked. Please try this on a test environment if possible. The directory C:\ProgramData\Microsoft\Crypto\RSA does not contain user SID and keys at all. However, I used

robocopy “C:\Temp” $ENV:USERPROFILE\AppData\Roaming\Microsoft\Crypto\RSA\$SID $keyContainer /COPYALL /SECFIX

and nothing was copied at all.
Anonymous

2025-03-05T07:25:48.1633333+00:00

My mistake. Did you try to reset the permissions?
OZ 286 Reputation points

2025-03-05T14:03:04.7566667+00:00

Yes, I successfully reset permissions through icalcs as you mention.

Answer 2

OZ 286

I found another solution. I used the exportrsa.exe utility taken from gitlab. It perfectly exports the certificate under the current user in a couple of clicks.

Anonymous

2025-03-06T01:09:53.21+00:00

That's awesome! Thank you for sharing!
I am glad to know that the issue has been resolved, please mark the helpful replies as answers, this will make answer searching in the forum easier and be beneficial to other community members as well.
Thank you！

Share via

How to migrate a certificate for email encryption in Outlook if the private key is not available?

1 additional answer

Your answer