This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(57.599999999999994, 96%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERJ%3C/text%3E%3C/svg%3E)
Hi, I would like recover user certificate from Microsoft PKI CA. But user certificate which I want recover was archived with no longer valid KRAgent. Person who is KRA has both certificate and private keys installed old expired and new valid. It looks like certutil can't use the old one expired KRA certificate. How can I resolve this? Thank you Radek
Expired KRA certificate can be used to recover user key. Make sure that private key for expired KRA certificate is available and it applicable for encrypted BLOB. Please provide more information.
Hi, thank you.
Simply if I am logged as user which have both certificate (valid and expired with private keys) in his certificate store, I can only restore certificates archived with new KRA certificate using certutil. If I try restore older certificates, I get error:
CertUtil: -RecoverKey command FAILED: 0x8009200c (-2146885620 CRYPT_E_NO_DECRYPT_CERT)
CertUtil: Cannot find the certificate and private key to use for decryption.
Certutil by defualt use only valid KRA certificate. Is there any parametr to specify older certificate for restore operation?
¨
Radovan
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(96, 62%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDZ%3C/text%3E%3C/svg%3E)
Hello @Radek J ,
Thank you for posting here.
Based on the description "Simply if I am logged as user which have both certificate (valid and expired with private keys) in his certificate store, I can only restore certificates archived with new KRA certificate using certutil. If I try restore older certificates, I get error", would you please tell us:
You have one expired KRA certificate and one new KRA certificate, you want to restore the same user key with both expired KRA certificate and new KRA certificate using certutil, is that right?
If so, what command do you use using new KRA certificate?
And what command do you use using expired KRA certificate?
Best Regards,
Daisy Zhou
This may indicate that cert was encrypted with different KRA cert which is not installed. Rename blob file to .p7b extension, open and look at KRA cert you must have.
Hello @Radek J ,
How are you?
Hope the information Crypt32 provided is helpful.
If you have any question, please feel free to let us know.
Best Regards,
Daisy Zhou
Hello,
thank you, sorry for delay.
My command was simply: certutil -recoverkey C:\pom\user1.key c:\pom\user1.pfx
Yes I have one expired KRA certificate and one new KRA certificate in my certificate store, I want to restore the user1 certificate with expired KRA certificate.
Where can I find that blob file?
RadekJ
You can recover key only with KRA certificate was used to archive the key. Make sure that you are using correct KRA certificate to recover.