Certutil tasks for key archival and recovery: Public Key (original) (raw)
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Certutil tasks for key archival and recovery
You can use certutil to retrieve and recover archived keys.
To view the syntax for a specific task, click a task:
- To retrieve an archived private key recovery blob
- To recover an archived private key
To retrieve an archived private key recovery blob
Syntax
certutil-getkey [-f] [-gmt] [-seconds] [-v] SearchToken [_RecoveryBlobOutFile_]
Parameters
- **-getkeyRetrieves the archived private key.
- **-fOverwrites existing files or keys.
- **-gmtDisplays time as Greenwich mean time.
- **-secondsDisplays time with seconds and milliseconds.
- **-vSpecifies verbose output.
- _SearchToken_Specifies the keys and certificates that you want to recover.
- _RecoveryBlobOutFile_Specifies the output file containing a certificate chain and an associated private key, still encrypted to one or more key recovery agent (KRA) certificates.
- ****-?**Displays a list of certutil commands.
Remarks
- SearchToken can be a certificate common name, a certificate serial number, a certificate Secure Hash Algorithm (SHA-1) hash, a requester name (that is, domain\user), or a user principal name (UPN) (that is, domain@user).
To recover an archived private key
Syntax
certutil-recoverkey [-f] [-user] [-gmt] [-seconds] [-split] [-v] [-p_Password_] RecoveryBlobInFile [_PFXOutFile_] [_RecipientIndex_]]
Parameters
- **-recoverkeyRecovers the archived private key.
- **-fOverwrites existing files or keys.
- **-userUses the HKEY_CURRENT_USER keys or certificate store.
- **-gmtDisplays time as Greenwich mean time.
- **-secondsDisplays time with seconds and milliseconds.
- **-splitSplits the embedded Abstract Syntax Notation One (ASN.1) elements, and saves them to files.
- **-vSpecifies verbose output.
- ****-p Password**Specifies a password.
- _RecoveryBlobInFile_Specifies the input file that contained the recovery blob retrieved from the CA.
- _PFXOutFile_Specifies the file where you want to save the recovered key and associated PKCS #12 certificate.
- _Password_Encrypts PFXOutFile to a password.
- _RecipientIndex_Specifies the index of the key recovery agent (KRA) certificate to be used for decrypting the private key blob. If you do not specify this parameter, certutil tries all of the KRA certificates.
- ****-?**Displays a list of certutil commands.
Formatting legend
| Format | Meaning |
|---|---|
| Italic | Information that the user must supply |
| Bold | Elements that the user must type exactly as shown |
| Ellipsis (...) | Parameter that can be repeated several times in a command line |
| Between brackets ([]) | Optional items |
| Between braces ({}); choices separated by pipe (|). Example: {even | odd} |
| Courier font | Code or program output |
See Also
Concepts
Command-line reference A-Z Command shell overview
Other Resources
Active Directory Certificate Services PKI - Key Archival and Management