Sometimes users accidentally delete their certificates from personal store. After that users are not able to perform certificate-based tasks, i.e. decrypt files or mail, sign data and authenticate. Some organizations implement Key Archival for certificate and private key recovery. But some organizations do not. Even if key archival is enabled, it is not always required. In our case, user just deleted certificate from personal store. Let’s look to a private key storage background.

When the system generates public and private keys, they are stored separately. Public key is stored in registry, but private keys are stored in the following locations:

  • User certificates (RSA keys)

%APPDATA%\Microsoft\Crypto\RSA\UserSID

  • User certificates (CNG keys)

%APPDATA%\Microsoft\Crypto\Keys

  • Computer certificates (RSA keys)

%ALLUSERSPROFILE%\Application Data\Microsoft\Crypto\RSA\S-1-5-18

  • Computer certificates (CNG keys)

%ALLUSERSPROFILE%\Microsoft\Crypto\SystemKeys

When you remove certificate from Certificates MMC snap-in or by using other means (certutil, or other programming APIs such X509Store .NET class) only registry entry is removed. No associated private keys are deleted. Look at a simple example:

PS C:\> certutil -store -user my f9c009266036cd8c4c307fe47f356faa
my
================ Certificate 4 ================
Serial Number: f9c009266036cd8c4c307fe47f356faa
Issuer: CN=vPodans
 NotBefore: 16.04.2009. 11:04
 NotAfter: 23.03.2109. 11:04
Subject: CN=vPodans
Signature matches Public Key
Root Certificate: Subject matches Issuer
Template:
Cert Hash(sha1): 90 da 9f 10 2d 09 1d e2 7a fc 09 2b 72 12 e9 41 18 d5 b7 b2
  Key Container = {5F5DD854-CC3B-4F6F-8B99-89FB55FFB67D}
  Unique container name: 89a3fdb59f7870ac900a6c61cfdea3a0_74659c6a-d4ff-4c5d-acde-0ce27b655f0a
  Provider = Microsoft Enhanced Cryptographic Provider v1.0
Encryption test passed
CertUtil: -store command completed successfully.
PS C:\> get-item $env:appdata\Microsoft\Crypto\RSA\S-1-5-21-488871540-1024398642-2926345389-1000\89a3fdb59f7870ac9
00a6c61cfdea3a0_74659c6a-d4ff-4c5d-acde-0ce27b655f0a


    Directory: C:\Users\vPodans\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-488871540-1024398642-2926345389-1000


Mode                LastWriteTime     Length Name
----                -------------     ------ ----
-a--s       08.09.2009.     13:56       2251 89a3fdb59f7870ac900a6c61cfdea3a0_74659c6a-d4ff-4c5d-acde-0ce27b655f0a


PS C:\>

When you run certutil -store command (in my case for particular certificate) it tries to get certificate associated private key file name (see for “Unique container name” section). Once it is done I just checked whether this file exist in the above mentioned path for user store. When I delete this certificate, private key remains. As the result if you have public part of this certificate (it can be found in userCertificates Active Directory user account attributes, or in Certification Authority database.

Ok, now we need to retrieve a public part of this certificate. For example from CA server. On client run the following command:

certreq -config "CAComputerName\CAName" -retrieve 351 usercert.cer

In this example 351 is request id (the first column in Certification Authority MMC snap-in) and usercert.cer is a output file name.

Now double-click on this file and install certificate to Personal store. When you look to a certificate it will say that there is no associated private key. So we need to re-associate imported certificate with existing private key by running the following command:

certutil -user -repairstore MY f9c009266036cd8c4c307fe47f356faa

where f9c009266036cd8c4c307fe47f356faa is a serial number of a certificate to restore:

PS C:\> certutil -user -repairstore MY f9c009266036cd8c4c307fe47f356faa
MY
================ Certificate 4 ================
Serial Number: f9c009266036cd8c4c307fe47f356faa
Issuer: CN=vPodans
 NotBefore: 16.04.2009. 11:04
 NotAfter: 23.03.2109. 11:04
Subject: CN=vPodans
Signature matches Public Key
Root Certificate: Subject matches Issuer
Template:
Cert Hash(sha1): 90 da 9f 10 2d 09 1d e2 7a fc 09 2b 72 12 e9 41 18 d5 b7 b2
  Key Container = {28784BDD-2895-462F-8D59-AAB75BA4AEB3}
  Unique container name: 36156aba82aac9a7c4cb75ae06f5dfda_74659c6a-d4ff-4c5d-acde-0ce27b655f0a
  Provider = Microsoft Enhanced Cryptographic Provider v1.0
Encryption test passed
CertUtil: -repairstore command completed successfully.
PS C:\>

Look to a message that encryption test is passed. Now you can check Certificates MMC snap-in for private key existence for this certificates.


Share this article:

Comments:

Matthias L.

Hi Vadims, If the deleteion of a certificate in MMC doesnt't delete the private key - which procedure do you recommend to completly destroy the keys in a comfortable manner?

Vadims Podans

You can delete private key file manually. Alternatively you can export certificate to a PFX, there is an option to delete private key after export (of course, if private key is allowed for export operations). Also, there is CryptDestroyKey function, but I'm not sure if this is the right function to delete private key material.

toluz

I had problem with "certreq -config "CAComputerName\CAName" -retrieve 351 usercert.cer" I had no access, but i asked my administrator to export my certificate manualy from CA and to send it to me. This works for me. This was very helpful article, thanks

Patrice

Thank you very much !

Marius

Man, you saved me !!!!

Paldies very much.

John W

Windows 10 user here. Somehow my user account has a different certificate now, and I can not access any files in my system. I get "Access Denied" when tryig to do anything with the files. I can see them but nothing else is allowed. I did not know the system needed to have certificates backed up. I recently used PowerShell to run SFC/Scanow to get back my windows start menu. I also ran a command reccommended by PC World (3 fixes for a dead windows start menu) suggested to get the menu working. That was successful, but now I dont have access to my files, and I think the certificate was replaced doing something I described.  Is there a way to retrieve the old certificates using explorer, from a system back up or restore point?

Vadims Podāns

If you have systems backup, you can restore it on a temporary machine and explore the certificate in the certificate store (via Certificates MMC).

Hendre

Hi. Do you know how to perform this procedure on Widows 10? I do not know how to retrieve my public key:

certreq -config "CAComputerName\CAName" -retrieve 351 usercert.cer
What will the CACompanyName\CAName be on a Windows 10 machine tot connected to a domain?

Vadims Podāns

The procedures are the same for Windows 10. If you are disconnected from domain/CA, you should ask your systems administrator to extract a certificate from CA database and send it to you.

Hendre

Hi Vadims. I am not connected to a corporate network and do not have a systems administrator. I created the file encryption key on a standalone Windows 10 PC. How do I access the CA database to extract the public key?

Vadims Podāns

If you created a key on a standalone Windows box, then it is just a simple self-signed certificate. No CA is involved and you have to search for certificate elsewhere else. Maybe, in other containers in Windows Certificate store. 

Matthias Raffel

just a hint, the icon of the certificate have a little key picture build in, this can be used to check very quick if you have a „connected“ correspondend private key to the displayed certificate. for example compare root certificate icon with a user or computer certificate.

Stan Kaminski

Hi Vadims. Is there a way to bulk erase all lone private keys? I did some experiments on my PC which left me with hundreds of them that can be safely destroyed.

Vadims Podāns

> Is there a way to bulk erase all lone private keys?

it is quite tricky. You will need to enumerate all certificates in a desired certificate store and collect information about private keys. Then you can enumerate all key files (or better, query all cryptographic providers and keys inside them) and check if particular key belongs to any active certificate. If there is no match, then non-matching key is a candidate for deletion. That's all I can suggest at this point.

rtroxell

Thank You!!!!! I was able to use this method and sort things out, I was able to locate the SN from anohter user that had her previous cert stored. from there it was a matter of utilizing the commands

Patrick

Votre commande de demande « Votre demande de commande « certreq -config » CAComputerName \ CAName « -récupérer 351 usercert.cer » n’est pas disponible pour moi. Je reçois un message d’erreur comme suit : le serveur RPC n’est pas disponible. 0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE)certreq -config « CAComputerName\CAName » -récupérer 351 usercert.cer

https://servimg.com/view/11814235/1709

Ceci Ceci


Post your comment:

Please, solve this little equation and enter result below. Captcha