certutil -getkey [-f] [-gmt] [-seconds] [-v] SearchToken [RecoveryBlobOutFile]

-getkey

Retrieves the archived private key.

-f

Overwrites existing files or keys.

-gmt

Displays time as Greenwich mean time.

-seconds

Displays time with seconds and milliseconds.

-v

Specifies verbose output.

SearchToken

Specifies the keys and certificates that you want to recover.

RecoveryBlobOutFile

Specifies the output file containing a certificate chain and an associated private key, still encrypted to one or more key recovery agent (KRA) certificates.

-?

Displays a list of certutil commands.

• SearchToken can be a certificate common name, a certificate serial number, a certificate Secure Hash Algorithm (SHA-1) hash, a requester name (that is, domain\user), or a user principal name (UPN) (that is, domain@user).
  
  

certutil -recoverkey [-f] [-user] [-gmt] [-seconds] [-split] [-v] [-pPassword] RecoveryBlobInFile [PFXOutFile] [RecipientIndex]]

-recoverkey

Recovers the archived private key.

-f

Overwrites existing files or keys.

-user

Uses the HKEY_CURRENT_USER keys or certificate store.

-gmt

Displays time as Greenwich mean time.

-seconds

Displays time with seconds and milliseconds.

-split

Splits the embedded Abstract Syntax Notation One (ASN.1) elements, and saves them to files.

-v

Specifies verbose output.

-p Password

Specifies a password.

RecoveryBlobInFile

Specifies the input file that contained the recovery blob retrieved from the CA.

PFXOutFile

Specifies the file where you want to save the recovered key and associated PKCS #12 certificate.

Password

Encrypts PFXOutFile to a password.

RecipientIndex

Specifies the index of the key recovery agent (KRA) certificate to be used for decrypting the private key blob. If you do not specify this parameter, certutil tries all of the KRA certificates.

-?

Displays a list of certutil commands.