Manual Key Archival

Applies To: Windows Server 2008

Manual key archival can be used in the following common scenarios that are not supported by automatic key archival:

  • Secure/Multipurpose Internet Mail Extensions (S/MIME) certificates used by Microsoft® Office Outlook.

  • Certificates issued by CAs that do not support key archival.

  • Certificates installed on the Microsoft Windows® 2000 and Windows Millennium Edition operating systems.

This topic includes procedures for exporting a private key by using the following programs and for importing a private key to a CA database:

  • Certutil.exe

  • Certificates snap-in

  • Microsoft Office Outlook

Exporting a private key

Only members of the Administrators group can complete this procedure for computer or service certificates.

To export a certificate and private key by using the Certificates snap-in

  1. Open the Certificates snap-in for the user, computer, or service that owns the private key that you want to archive.

  2. In the console tree, expand Personal and click Certificates.

  3. In the details pane, click the certificate that you want to export.

  4. On the Action menu, point to All Tasks, and then click Export.

  5. In the Certificate Export Wizard, click Yes, export the private key.

Note

The option to export the private key will appear only if the private key is marked as exportable and you have access to the private key.

  1. On the Export File Format page, click Next.

Note

If the private key is no longer required on the computer, click Delete the private key if the export is successful.

  1. In Password, type a password to encrypt the private key that you are exporting. In Confirm password, type the same password again, and then click Next.

Important

You will be required to provide the same password to import the key, and the key will be lost if the password is not available.

  1. In File name, type a file name and path for the PKCS #12 file that will store the exported certificate and private key. Click Next, and then click Finish.

To export private keys by using Certutil.exe

  1. Open a Command Prompt window.

  2. Type the Certutil.exe –exportpfx command using the command-line options described in the following table.

Certutil.exe [-p <Password>] –exportpfx <CertificateId> <OutputFileName>

Note

For additional command line options, type Certutil.exe –exportpfx -?.

Option Description Example

-p

Optional. Used to protect the private key file. If specified, then also required to import the key file.

Certutil.exe –p Password –exportpfx 510da4c500000000001b C:\ExportedKeys.pfx

CertificateId

Required. A unique identifier for the certificate being exported. Can be any of the following:

  • Certificate serial number (without spaces)

  • Certificate's hash value or thumbprint (without spaces)

  • User's Common Name (CN)

  • User principal name (UPN)

  • User's domain alias

Certutil.exe –exportpfx 510da4c500000000001b C:\ExportedKeys.pfx

OutputFileName

Required. Specifies the path and name of the file that the exported certificate and private key are saved in. If only the name is specified the file will be saved in the current directory.

‎Certutil.exe –exportpfx C:\ExportedKeys.pfx

Exporting a private key by using Microsoft Office Outlook

Use this procedure to export a private key from an S/MIME certificate used by Microsoft Office Outlook, which is stored separately from the user's certificate store and cannot be archived through automatic key archival.

To export a private key by using Microsoft Office Outlook 2007

  1. Start Microsoft Office Outlook 2007.

  2. On the Tools menu, click Trust Center.

  3. Click E-mail Security.

  4. Click Import/Export.

  5. Click Export your Digital ID to a file.

  6. Click Select, select the certificate you want to export, and click OK.

  7. Type a file name and password, and then click OK.

Note

To export a private key by using Microsoft Office Outlook 2000 or Microsoft Office Outlook 2003, see Exporting Keys from Outlook in Understanding Manual Key Archival (https://go.microsoft.com/fwlink/?LinkId=161327).

Importing private keys to a CA

Use this procedure to manually import private keys from a file to a CA database.

The CA must be configured to support key archival. See Configuring a CA for key archival and recovery.

To import private keys to a CA

  1. Open a Command Prompt window.

  2. Type the Certutil.exe –importkms command using the command-line options described in the following table.

CertUtil.exe [-config <ServerName\CAName>] [–f] [-p <password>] –importkms <PrivateKeyFile>

Note

For additional command line options, type Certutil.exe –importkms -?.

Option Description Example

-f

Required when certificates were issued by a different CA.

Certutil.exe –f –importkms C:\ArchivedKeys.pfx

-config

Optional. The –config option is followed by a string specifying a host name and CA name. Not required when running the command on a CA.

Certutil.exe –config Server1\CA1 -importkms C:\ArchivedKeys.pfx

-p

Required if a password was used during key export to protect the private key file.

Certutil.exe –p Password –importkms C:\OutlookKeys.epf

PrivateKeyFile

File to be imported. Can be the following formats:

  • PKCS #12 (.pfx)

  • Outlook export file (.epf)

  • Key Management Server export file

Certutil.exe –importkms C:\OutlookKeys.epf