How to recover certificate using expired Key Recovery Agent?

Question

How to recover certificate using expired Key Recovery Agent?

Radek J 1

Hi, I would like recover user certificate from Microsoft PKI CA. But user certificate which I want recover was archived with no longer valid KRAgent. Person who is KRA has both certificate and private keys installed old expired and new valid. It looks like certutil can't use the old one expired KRA certificate. How can I resolve this? Thank you Radek

Vadims Podāns 8,391 Reputation points MVP

2020-12-07T10:41:06.143+00:00

Expired KRA certificate can be used to recover user key. Make sure that private key for expired KRA certificate is available and it applicable for encrypted BLOB. Please provide more information.
Radek J 1 Reputation point

2020-12-08T08:31:06.523+00:00

Hi, thank you.
Simply if I am logged as user which have both certificate (valid and expired with private keys) in his certificate store, I can only restore certificates archived with new KRA certificate using certutil. If I try restore older certificates, I get error:

CertUtil: -RecoverKey command FAILED: 0x8009200c (-2146885620 CRYPT_E_NO_DECRYPT_CERT)
CertUtil: Cannot find the certificate and private key to use for decryption.

Certutil by defualt use only valid KRA certificate. Is there any parametr to specify older certificate for restore operation?
¨
Radovan
Daisy Zhou 13,021 Reputation points Microsoft Vendor

2020-12-16T01:57:37.75+00:00

Hello @Radek J ，

Thank you for posting here.

Based on the description "Simply if I am logged as user which have both certificate (valid and expired with private keys) in his certificate store, I can only restore certificates archived with new KRA certificate using certutil. If I try restore older certificates, I get error", would you please tell us:

You have one expired KRA certificate and one new KRA certificate, you want to restore the same user key with both expired KRA certificate and new KRA certificate using certutil, is that right?

If so, what command do you use using new KRA certificate?
And what command do you use using expired KRA certificate?

Best Regards,
Daisy Zhou
Vadims Podāns 8,391 Reputation points MVP

2020-12-16T06:47:57.907+00:00

This may indicate that cert was encrypted with different KRA cert which is not installed. Rename blob file to .p7b extension, open and look at KRA cert you must have.
Daisy Zhou 13,021 Reputation points Microsoft Vendor

2020-12-18T09:32:03.403+00:00

Hello @Radek J ,

How are you?

Hope the information Crypt32 provided is helpful.

If you have any question, please feel free to let us know.

Best Regards,
Daisy Zhou
Radek J 1 Reputation point

2021-01-21T14:20:46.27+00:00

Hello,

thank you, sorry for delay.

My command was simply: certutil -recoverkey C:\pom\user1.key c:\pom\user1.pfx

Yes I have one expired KRA certificate and one new KRA certificate in my certificate store, I want to restore the user1 certificate with expired KRA certificate.

Where can I find that blob file?

RadekJ
Vadims Podāns 8,391 Reputation points MVP

2021-01-22T11:03:02.027+00:00

You can recover key only with KRA certificate was used to archive the key. Make sure that you are using correct KRA certificate to recover.

Vadims Podāns 8,391 Reputation points MVP

2020-12-07T10:41:06.143+00:00

Expired KRA certificate can be used to recover user key. Make sure that private key for expired KRA certificate is available and it applicable for encrypted BLOB. Please provide more information.
Radek J 1 Reputation point

2020-12-08T08:31:06.523+00:00

Hi, thank you.
Simply if I am logged as user which have both certificate (valid and expired with private keys) in his certificate store, I can only restore certificates archived with new KRA certificate using certutil. If I try restore older certificates, I get error:

CertUtil: -RecoverKey command FAILED: 0x8009200c (-2146885620 CRYPT_E_NO_DECRYPT_CERT)
CertUtil: Cannot find the certificate and private key to use for decryption.

Certutil by defualt use only valid KRA certificate. Is there any parametr to specify older certificate for restore operation?
¨
Radovan
Daisy Zhou 13,021 Reputation points Microsoft Vendor

2020-12-16T01:57:37.75+00:00

Hello @Radek J ，

Thank you for posting here.

Based on the description "Simply if I am logged as user which have both certificate (valid and expired with private keys) in his certificate store, I can only restore certificates archived with new KRA certificate using certutil. If I try restore older certificates, I get error", would you please tell us:

You have one expired KRA certificate and one new KRA certificate, you want to restore the same user key with both expired KRA certificate and new KRA certificate using certutil, is that right?

If so, what command do you use using new KRA certificate?
And what command do you use using expired KRA certificate?

Best Regards,
Daisy Zhou
Vadims Podāns 8,391 Reputation points MVP

2020-12-16T06:47:57.907+00:00

This may indicate that cert was encrypted with different KRA cert which is not installed. Rename blob file to .p7b extension, open and look at KRA cert you must have.
Daisy Zhou 13,021 Reputation points Microsoft Vendor

2020-12-18T09:32:03.403+00:00

Hello @Radek J ,

How are you?

Hope the information Crypt32 provided is helpful.

If you have any question, please feel free to let us know.

Best Regards,
Daisy Zhou
Radek J 1 Reputation point

2021-01-21T14:20:46.27+00:00

Hello,

thank you, sorry for delay.

My command was simply: certutil -recoverkey C:\pom\user1.key c:\pom\user1.pfx

Yes I have one expired KRA certificate and one new KRA certificate in my certificate store, I want to restore the user1 certificate with expired KRA certificate.

Where can I find that blob file?

RadekJ
Vadims Podāns 8,391 Reputation points MVP

2021-01-22T11:03:02.027+00:00

You can recover key only with KRA certificate was used to archive the key. Make sure that you are using correct KRA certificate to recover.

How to recover certificate using expired Key Recovery Agent?

Activity