Recover a Lost Key

Applies To: Windows Server 2008 R2

Users who lose a private key will be unable to recover data that is encrypted with that key. By recovering a key and restoring it to the client computer, the data can be decrypted and used.

The complete recovery process includes three procedures:

  • Obtain the serial number of the archived certificate.

  • Perform the key recovery.

  • Restore the key to the client's computer.

Membership in Domain Admins, or equivalent, is the minimum required to complete this procedure. For more information, see Implement Role-Based Administration.

To obtain the serial number of an archived certificate

  1. Log on to the computer hosting the certification authority (CA).

  2. Open the Certification Authority snap-in.

  3. In the console tree, click the CA name, and then click Issued Certificates.

  4. On the View menu, click Add/Remove Columns.

  5. Under Available Column, click Archived Key, and then click Add.

    Archived Key shouldnow appear in Displayed Columns.

  6. Click OK, and then, in the details pane, scroll to the right and confirm that the last certificate issued to the user has a Yes value in the Archived Key column.

  7. Double-click the certificate.

  8. Click the Details tab. Record the serial number of the certificate. (Do not include spacing between digit pairs.) You will need this information to complete the recovery procedure.

    The serial number will be a hexadecimal string that is 20 characters long. The serial number of the private key is the same as the serial number of the certificate. For the purposes of this procedure, the serial number will be referred to as serialnumber.

  9. Click OK, and close the Certification Authority snap-in.

  10. At a command prompt, type:

    Certutil -getkey <serialnumber> outputblob


The Recipient Info section in the output of this command identifies the serial numbers of the key recovery agent certificates whose private keys are needed to decrypt the blob and recover the key.

  1. At a command prompt, type:

    dir outputblob


If the file outputblob does not exist, you might have typed the serial number incorrectly for the certificate. The outputblob file is a PKCS #7 file containing the key recovery agent certificates and the user certificate and chain. The inner content is an encrypted PKCS #7 file containing the private key (encrypted to the key recovery agent certificates).

The domain administrator must transfer the output file to the key recovery agent, who performs the actual recovery procedure.

You must be a user with a key recovery agent certificate registered with the CA to complete this procedure. The key recovery agent must be stored in the key recovery agent's Personal certificate store on the computer where the key recovery procedure will take place. For more information, see Implement Role-Based Administration.

To recover the archived certificate

  1. At a command prompt, type:

    Certutil -recoverkey outputblob <filename>.pfx
  2. When prompted, enter a new password. When requested, confirm the new password by typing it a second time.

  3. Copy the saved .pfx file to the computer where recovery is to be completed.

  4. Close all windows and log off the computer.

After the key has been recovered, it must be imported on the computer where the data is stored.

You must be the client to whom the certificate was issued or an administrator on the client computer to complete this procedure. For more information, see Implement Role-Based Administration.

To import the recovered key

  1. Open the Certificates snap-in for the user to whom the certificate was issued.

  2. In the console tree, right-click Personal, click All Tasks, and then click Import.

  3. In the Certificate Import Wizard, click Next.

  4. In File name, type the path and file name of the .pfx file, and then click Next.

  5. In Password, type the password you entered in the previous procedure, and then click Next.

  6. On the Certificate Store page, click Automatically select the certificate store based on the type of certificate, and then click Next.

  7. On the Completing the Certificate Import Wizard page, click Finish.

  8. To verify that the recovered certificate has been imported successfully, in the console tree, double-click Personal,and then click Certificates.

  9. Double-click the certificate. Click the Details tab, and then verify that the serial number matches the original.

Additional considerations

  • To open a command prompt, click Start, point to All Programs, click Accessories, and then click Command Prompt.

Additional references