OverviewIf you have Key Archival enabled then you can recover private keys. If you don’t have Key Archival enabled then click here for instructions.
In this post, I’ll demonstrate how to recover a lost private key
How to recover a lost private keyYou need to be logged in with one of your Key Recovery Agents that you specified when you configured Key Archival.
Firstly, locate your certificate in the Issued Certificates section using the CA snap-in:
You then need to get the serial number so you can just double click it, go to details and select Serial Number:
Remove the spaces from the Serial Number:
Use certutil to get the key:
certutil -getkey 1a00000042af62922b38431f48000100000042 C:\Temp\key.key
You then use certutil again to recover the private key:
certutil -recoverkey C:\Temp\key.key c:\temp\cert.pfx
You now have a .pfx file and you can import this back onto your client using certmgr.msc