Certutil tasks for key archival and recovery

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Certutil tasks for key archival and recovery

You can use certutil to retrieve and recover archived keys.

To view the syntax for a specific task, click a task:

  • To retrieve an archived private key recovery blob

  • To recover an archived private key

To retrieve an archived private key recovery blob

Syntax

certutil-getkey [-f] [-gmt] [-seconds] [-v] SearchToken [RecoveryBlobOutFile]

Parameters
  • -getkey Retrieves the archived private key.
  • -f Overwrites existing files or keys.
  • -gmt Displays time as Greenwich mean time.
  • -seconds Displays time with seconds and milliseconds.
  • -v Specifies verbose output.
  • SearchToken Specifies the keys and certificates that you want to recover.
  • RecoveryBlobOutFile Specifies the output file containing a certificate chain and an associated private key, still encrypted to one or more key recovery agent (KRA) certificates.
  • -? Displays a list of certutil commands.
Remarks
  • SearchToken can be a certificate common name, a certificate serial number, a certificate Secure Hash Algorithm (SHA-1) hash, a requester name (that is, domain\user), or a user principal name (UPN) (that is, domain@user).

To recover an archived private key

Syntax

certutil-recoverkey [-f] [-user] [-gmt] [-seconds] [-split] [-v] [-pPassword] RecoveryBlobInFile [PFXOutFile] [RecipientIndex]]

Parameters
  • -recoverkey Recovers the archived private key.
  • -f Overwrites existing files or keys.
  • -user Uses the HKEY_CURRENT_USER keys or certificate store.
  • -gmt Displays time as Greenwich mean time.
  • -seconds Displays time with seconds and milliseconds.
  • -split Splits the embedded Abstract Syntax Notation One (ASN.1) elements, and saves them to files.
  • -v Specifies verbose output.
  • -p Password Specifies a password.
  • RecoveryBlobInFile Specifies the input file that contained the recovery blob retrieved from the CA.
  • PFXOutFile Specifies the file where you want to save the recovered key and associated PKCS #12 certificate.
  • Password Encrypts PFXOutFile to a password.
  • RecipientIndex Specifies the index of the key recovery agent (KRA) certificate to be used for decrypting the private key blob. If you do not specify this parameter, certutil tries all of the KRA certificates.
  • -? Displays a list of certutil commands.

Formatting legend

Format Meaning

Italic

Information that the user must supply

Bold

Elements that the user must type exactly as shown

Ellipsis (...)

Parameter that can be repeated several times in a command line

Between brackets ([])

Optional items

Between braces ({}); choices separated by pipe (|). Example: {even|odd}

Set of choices from which the user must choose only one

Courier font

Code or program output

See Also

Concepts

Command-line reference A-Z Command shell overview

Other Resources

Active Directory Certificate Services PKI - Key Archival and Management