Share via


Find Archived Keys for a certificate, extract them and Decrypt them

Hello folks,

 This is the outline of the process I use for Key Recovery in Active Directory Certificate Services. Variables are underlined to identify them. You should replace those variables with the corresponding values.

 Step #1 (optional) : For a given certificate requester name, find all the certificates that have been archived and output their serial number.

*************************************************************************************************************************************************************************************************

certutil -view -restrict "Request.KeyRecoveryHashes=KRA HASH" -out "Request.RequesterName" | certutil -view -silent -restrict "Request.RequesterName=Requester Logon ID" -out "Serial Number"

ex: certutil -view -restrict "Request.KeyRecoveryHashes=e1 33 90 f0 7e 31 f0 50 44 30 0d b5 88 98 b5d4 69 bd 99 7a" -out "Request.RequesterName" | certutil -view -silent -restrict "Request.RequesterName=CONTOSO\KEYOWNER01" -out "Serial Number"

*************************************************************************************************************************************************************************************************

 Step#2: This command will take the serial number of the archived certificate (identified in step 1)  and dump it’s BLOB

 *************************************************************************************************************************************************************************************************

Certutil -getkey Certificate Serial Number Outputfilelocation

ex: Certutil -getkey 1111c230000000008989 C:\Extract\Blob

*************************************************************************************************************************************************************************************************

Step#3:This command will take the blob file for the certificate you identified in step 1 and will extract the key in pfx format

*************************************************************************************************************************************************************************************************

Certutil -f -recoverkey Blobfile user1key.pfx

ex: Certutil -f -recoverkey C:\Extract\Blob user1key.pfx

 

*************************************************************************************************************************************************************************************************

Notes

In step 1, this is a piping process of two commands. The first one identifies all certificates that are encrypted and the second one identifies the certificates that belong to the user you specify

In step 3, you need to have the KRA certificate installed locally and you will be prompted to enter a password for the pfx file twice for confirmation