Share via


User Key Recovery

Applies To: Windows Server 2008

This topic includes the following procedures for key recovery:

  • Identifying archived keys for recovery

  • Retrieving archived keys

  • Decrypting archived keys

  • Importing recovered keys

Key recovery process

The recovery of a private key is a manual process. The process is initiated when a user has lost access to private key and contacts an administrator to recover an archived copy of the key.

A typical key recovery process includes the following steps:

  1. Identifying archived keys for recovery. Because key archival is performed for only some of the many certificates that a user might be issued, a certificate manager must first identify the certificates and archived keys issued to the user and obtain serial numbers for keys that are to be recovered.

  2. Retrieving archived keys from a CA database. Using a certificate's serial number, a certificate manager retrieves the archived certificate and private key. Each archived certificate also includes the serial numbers of the key recovery agent certificates that were used to encrypt the private key during key archival. The certificate and encrypted private key are stored in a file that can be transferred to a key recovery agent or decrypted directly by a CA administrator if role separation is not enforced.

  3. Decrypting archived keys. The keys are decrypted by using Certutil.exe and a key recovery agent certificate, then stored in a password protected file and transferred to the user.

  4. Importing recovered keys. The user imports the certificate and recovered keys into their personal certificate store.

Security Note
It is important to transfer the password to the user separately from the password protected file; for example, transferring the file by e-mail and the password by telephone or voice mail. File transfer can be completed by a number of methods; for example, e-mail, removable media, or shared folders. It is important to transfer the files securely so they cannot be intercepted and to delete all copies after key recovery is complete. For additional information, see Best Practices for Key Archival and Recovery.

Identifying archived keys for recovery

In organizations that have implemented role-based administration, this step can be performed only by certificate managers. Certificate manager actions may also be further restricted to specific security groups and certificate templates, as specified in the Certificate Managers tab of the CA properties.

Archived keys and serial numbers can be identified by using Certutil.exe or the Certification Authority snap-in. Because of its advanced key recovery features Certutil.exe is a more complete tool than the Certification Authority snap-in for key recovery procedures. Procedures for using each tool are included.

To identify archived keys by using Certutil.exe

  1. Log on to a CA as a CA Officer who has Certificate Management privileges.

  2. Open a Command Prompt window.

  3. Type the Certutil.exe –getkey command using the command-line options described in the following section.

The Certutil.exe –getkey command accepts the command-line options described in the following table. The value of SearchToken can be used to perform key identification and key retrieval. When more than one certificate matches the provided input Certutil.exe displays the serial number and other details for each matching certificate. When only one certificate matches the provided input Certutil.exe will retrieve certificate details and the archived key.

Certutil.exe [-config <ServerName\CAName>] –getkey <SearchToken> <OutputFileName>

Option Description Example

-config

Optional. The –config option is followed by a string specifying a host name and CA name. Not required when running the command on a CA.

Certutil.exe –config Server1\CA1 –getkey 510da4c500000000001b OutputFile.p7b

SearchToken

Required. Used to find matching certificates in the CA database. If only one matching certificate is found, it is saved to the file specified by OutputFileName. If more than one certificate is found, Certutil.exe displays the serial numbers and other details for each certificate. The value of SearchToken can be any of the following:

  • Certificate serial number (without spaces)

  • Certificate's hash value or thumbprint (without spaces)

  • User's Common Name (CN)

  • User principal name (UPN)

  • User's domain alias

  • ‎Certutil.exe –getkey 510da4c500000000001b OutputFile.p7b

  • Certutil.exe –getkey e711ec69df9e97b6cb8d5de087fb4fd22d88533e OutputFile.p7b

  • Certutil.exe –getkey "CN=user1, CN=Users, DC=nwtraders, DC=com" OutputFile.p7b

  • Certutil.exe –getkey user1@nwtraders.com OutputFile.p7b

  • Certutil.exe –getkey nwtraders\user1 OutputFile.p7b

OutputFileName

Required. Specifies the path and name of the file that the retrieved certificate and private key are saved in. If only the name is specified the file will be saved in the current directory. The copy of the private key stored in this file is encrypted and must be decrypted by a key recovery agent, as described in the section Decrypting archived keys.

‎Certutil.exe –getkey 510da4c500000000001b C:\Temp\OutputFile.p7b

To identify archived keys by using the Certification Authority snap-in

  1. Log on to a CA as a CA Officer who has Certificate Management privileges.

  2. On the Administrative Tools menu, open the Certification Authority.

  3. In the console tree, expand Certification Authority, and then click Issued Certificates.

  4. On the View menu, click Add/Remove Columns.

  5. In the Add/Remove Columns dialog box, in the Available Column list, select Archived Key, and then click Add.

    The Archived Key displays in the Displayed Columns listing.

  6. Click OK.

  7. In the details pane, scroll to the right and verify that the certificate has a value in the Archived Key column.

  8. Double-click the certificate.

  9. Click the Details tab.

  10. Copy the serial number, and then paste it into a text file. The serial number is used with the Certutil.exe –getkey command in the following procedure to retrieve the certificate and private key.

  11. Click OK.

Retrieving archived keys

Retrieval of an archived key is completed by using the Certutil.exe –getkey command. The only difference between using Certutil.exe for key identification and key retrieval is the value provided for the SearchToken option. By providing a unique identifier such as a serial number for the SearchToken value, Certutil.exe will retrieve the matching certificate and private key and save them to a file specified by the value of the OutputFileName option. Review the table and examples for Certutil.exe included in the previous section.

Decrypting archived keys

This procedure can be completed only by an individual that has been issued a key recovery certificate that was used to encrypt the archived key.

To decrypt archived keys

  1. Log on as a user that has been issued a key recovery agent certificate.

  2. Open a Command Prompt window.

  3. Type the Certutil.exe –recoverkey command using the command-line options described in the following section.

  4. Provide the output file to the user that requested key recovery; for example, by using e-mail, removable media, or shared folders.

  5. Provide the password to the user by a medium different than that used to provide the output file; for example, by voice message.

Important

It is important to transfer the password to the user separately from the password protected file; for example, transferring the file by e-mail and the password by telephone or voice mail. File transfer can be completed by a number of methods; for example, e-mail, removable media, or shared folders. It is important to transfer the files securely so they cannot be intercepted and to delete all copies after key recovery is complete. For additional information, see Best Practices for Key Archival and Recovery.

Certutil.exe –p <password> –recoverkey <InputFileName> <OutputFileName>

Option Description Example

-p

Required. The –p option is used to protect the output file. Use a strong password; for example, at least eight characters long with a combination of upper and lower case characters, numbers and punctuation. You must retain a copy of the password for the key owner to import the recovered key.

Certutil.exe –p "Str0ngP@ssword" –recoverkey InputFile.p7b OutputFile.pfx

InputFileName

Required. Specifies the path and name of the file that contains the encrypted copy of the archived key, that is the output file (.p7b) from the Certutil.exe –getkey command.

OutputFileName

Required. Specifies the path and name of the file that the decrypted private key is saved in. If only the name is specified the file will be saved in the current directory. The copy of the private key stored in this file is clear text and is protected only by the password.

Importing recovered keys

Recovered certificates and private keys can be imported from the password protected file by using the Certificate Import wizard or by using the Certutil.exe –importPFX command.

These procedures should be completed by the user that initiated the key recovery request.

To import a recovered key by using the Certificate Import wizard

  1. Using Windows Explorer, locate the password-protected file provided by the key recovery agent.

  2. Double-click the file to start the Certificate Import wizard.

  3. On the Welcome page, click Next.

  4. On the Files to Import page, click Browse to locate the recovered key file, and then click Next.

  5. On the Password page, type the password for the recovered key file, and then click Next.

  6. On the Certificate Store page, click Automatically select the certificate store based on the type of certificate, and then click Next.

  7. On the Completing the Certificate Import Wizard page, click Finish.