Manual Key Archival

Updated: August 26, 2009

Applies To: Windows Server 2008

Manual key archival can be used in the following common scenarios that are not supported by automatic key archival:

  • Secure/Multipurpose Internet Mail Extensions (S/MIME) certificates used by Microsoft® Office Outlook.

  • Certificates issued by CAs that do not support key archival.

  • Certificates installed on the Microsoft Windows® 2000 and Windows Millennium Edition operating systems.

This topic includes procedures for exporting a private key by using the following programs and for importing a private key to a CA database:

  • Certutil.exe

  • Certificates snap-in

  • Microsoft Office Outlook

Only members of the Administrators group can complete this procedure for computer or service certificates.

  1. Open the Certificates snap-in for the user, computer, or service that owns the private key that you want to archive.

  2. In the console tree, expand Personal and click Certificates.

  3. In the details pane, click the certificate that you want to export.

  4. On the Action menu, point to All Tasks, and then click Export.

  5. In the Certificate Export Wizard, click Yes, export the private key.

    The option to export the private key will appear only if the private key is marked as exportable and you have access to the private key.

  6. On the Export File Format page, click Next.

    If the private key is no longer required on the computer, click Delete the private key if the export is successful.

  7. In Password, type a password to encrypt the private key that you are exporting. In Confirm password, type the same password again, and then click Next.

    You will be required to provide the same password to import the key, and the key will be lost if the password is not available.

  8. In File name, type a file name and path for the PKCS #12 file that will store the exported certificate and private key. Click Next, and then click Finish.

  1. Open a Command Prompt window.

  2. Type the Certutil.exe –exportpfx command using the command-line options described in the following table.

Certutil.exe [-p <Password>] –exportpfx <CertificateId> <OutputFileName>

For additional command line options, type Certutil.exe –exportpfx -?.


Option Description Example


Optional. Used to protect the private key file. If specified, then also required to import the key file.

Certutil.exe –p Password –exportpfx 510da4c500000000001b C:\ExportedKeys.pfx


Required. A unique identifier for the certificate being exported. Can be any of the following:

  • Certificate serial number (without spaces)

  • Certificate's hash value or thumbprint (without spaces)

  • User's Common Name (CN)

  • User principal name (UPN)

  • User's domain alias

Certutil.exe –exportpfx 510da4c500000000001b C:\ExportedKeys.pfx


Required. Specifies the path and name of the file that the exported certificate and private key are saved in. If only the name is specified the file will be saved in the current directory.

‎Certutil.exe –exportpfx C:\ExportedKeys.pfx

Use this procedure to export a private key from an S/MIME certificate used by Microsoft Office Outlook, which is stored separately from the user's certificate store and cannot be archived through automatic key archival.

  1. Start Microsoft Office Outlook 2007.

  2. On the Tools menu, click Trust Center.

  3. Click E-mail Security.

  4. Click Import/Export.

  5. Click Export your Digital ID to a file.

  6. Click Select, select the certificate you want to export, and click OK.

  7. Type a file name and password, and then click OK.

To export a private key by using Microsoft Office Outlook 2000 or Microsoft Office Outlook 2003, see Exporting Keys from Outlook in Understanding Manual Key Archival (

Use this procedure to manually import private keys from a file to a CA database.

The CA must be configured to support key archival. See Configuring a CA for key archival and recovery.

  1. Open a Command Prompt window.

  2. Type the Certutil.exe –importkms command using the command-line options described in the following table.

CertUtil.exe [-config <ServerName\CAName>] [–f] [-p <password>] –importkms <PrivateKeyFile>

For additional command line options, type Certutil.exe –importkms -?.


Option Description Example


Required when certificates were issued by a different CA.

Certutil.exe –f –importkms C:\ArchivedKeys.pfx


Optional. The –config option is followed by a string specifying a host name and CA name. Not required when running the command on a CA.

Certutil.exe –config Server1\CA1 -importkms C:\ArchivedKeys.pfx


Required if a password was used during key export to protect the private key file.

Certutil.exe –p Password –importkms C:\OutlookKeys.epf


File to be imported. Can be the following formats:

  • PKCS #12 (.pfx)

  • Outlook export file (.epf)

  • Key Management Server export file

Certutil.exe –importkms C:\OutlookKeys.epf

Community Additions