Restore certificate with private key


  • Hello,

    I have a windows server 2012 R2 for my root CA and I would like to restore the private key for a user certificate.

    with command: 

    certutil -repairstore my "xxxxxxxxxxxxxxxxx" I have a prompt to use a smart card...

    Do you have any idea to fix this problem?



    יום חמישי 05 יולי 2018 12:39

כל התגובות

  • Hi dominoforever,

    First of all, we need to figure out where the private key is. When logged on as the user, give the command certutil -store my. For the certificate in question, look for the attribute Key Container. Also write down the attribute Provider. Assuming you don't use smartcards or anything similar, look for a file that has the same name as the Key Container attribute.

    Kind Regards,

    יום שישי 06 יולי 2018 11:26
  • For the user certificate I don't have any Key container.

    No key provider information. But I saw on a forum If the file are still present in the user profile we can recover it.

    I don't use a smart card or something similar.

    Any idea?


    יום שישי 06 יולי 2018 13:22
  • Hi dominoforever,

    You're absolutely right, if the private key file is still present in the user profile, you can recover it. But the file has to be there.

    I did make one mistake, the right command is certutil -store -user My. You also need to have the user certificate in the store.

    If it does not return a Key Container attribute for the certificate in question (while it does return the other data for the certificate in question), regretfully there's no other choice but to give up.

    Kind Regards,

    יום שלישי 10 יולי 2018 07:25
  • Hello J.C.

    Thank you. If I test to recover the certificate from the server I have the problem with the smart card and I don't use it.

    What's the problem?

    This hotfix is installed

    Any idea?



    יום שלישי 10 יולי 2018 07:48
  • Hi dominoforever,

    Only one. I think you will be happier hiring an external consultant. They can look in real time to see what's happening and do diagnostic actions on the spot to find out what precisely is going on in your environment.

    Kind Regards,

    יום חמישי 12 יולי 2018 08:02
  • The -repairstore command can take the argument "-csp" to allow you to specify the provider that has the key for the certificate. By default, windows will try all providers including smart cards. If you want to skip the smart card, specify the provider of the certificate. 

    To find the provider name, first locate the thumbprint of your certificate you are trying to fix. Then using that thumbprint, run this command and replace <thumbprint> with the appropriate value:

    cerutil -user -store my <thumbprint>

    You will see the Provider name listed. Using that:

    certutil -csp <providername-here> -user -repairstore my <thumbprint>

    Mark B. Cooper, President and Founder of PKI Solutions Inc., former Microsoft Senior Engineer and subject matter expert for Microsoft Active Directory Certificate Services (ADCS). Known as “The PKI Guy” at Microsoft for 10 years. He is also co-founder of Revocent ( and its CertAccord product that offers Linux certificate enrollment from a Microsoft CA. Connect with Mark at

    יום חמישי 12 יולי 2018 16:23