Export (0) Print
Expand All

Certutil tasks for key archival and recovery

Updated: November 5, 2012

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Certutil tasks for key archival and recovery

You can use certutil to retrieve and recover archived keys.

To view the syntax for a specific task, click a task:

To retrieve an archived private key recovery blob

Syntax

certutil -getkey [-f] [-gmt] [-seconds] [-v] SearchToken [RecoveryBlobOutFile]

Parameters
-getkey
Retrieves the archived private key.

-f
Overwrites existing files or keys.

-gmt
Displays time as Greenwich mean time.

-seconds
Displays time with seconds and milliseconds.

-v
Specifies verbose output.

SearchToken
Specifies the keys and certificates that you want to recover.

RecoveryBlobOutFile
Specifies the output file containing a certificate chain and an associated private key, still encrypted to one or more key recovery agent (KRA) certificates.

-?
Displays a list of certutil commands.

Remarks
  • SearchToken can be a certificate common name, a certificate serial number, a certificate Secure Hash Algorithm (SHA-1) hash, a requester name (that is, domain\user), or a user principal name (UPN) (that is, domain@user).

To recover an archived private key

Syntax

certutil -recoverkey [-f] [-user] [-gmt] [-seconds] [-split] [-v] [-pPassword] RecoveryBlobInFile [PFXOutFile] [RecipientIndex]]

Parameters
-recoverkey
Recovers the archived private key.

-f
Overwrites existing files or keys.

-user
Uses the HKEY_CURRENT_USER keys or certificate store.

-gmt
Displays time as Greenwich mean time.

-seconds
Displays time with seconds and milliseconds.

-split
Splits the embedded Abstract Syntax Notation One (ASN.1) elements, and saves them to files.

-v
Specifies verbose output.

-p Password
Specifies a password.

RecoveryBlobInFile
Specifies the input file that contained the recovery blob retrieved from the CA.

PFXOutFile
Specifies the file where you want to save the recovered key and associated PKCS #12 certificate.

Password
Encrypts PFXOutFile to a password.

RecipientIndex
Specifies the index of the key recovery agent (KRA) certificate to be used for decrypting the private key blob. If you do not specify this parameter, certutil tries all of the KRA certificates.

-?
Displays a list of certutil commands.

Formatting legend

 

Format Meaning

Italic

Information that the user must supply

Bold

Elements that the user must type exactly as shown

Ellipsis (...)

Parameter that can be repeated several times in a command line

Between brackets ([])

Optional items

Between braces ({}); choices separated by pipe (|). Example: {even|odd}

Set of choices from which the user must choose only one

Courier font

Code or program output

See Also

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft