How to migrate a certificate for email encryption in Outlook if the private key is not available?

Question

We have users with certificates for encrypting mail in Outlook. The certificate was obtained from an internal certification authority, which is still working. It became necessary to migrate the user to another machine along with the certificate for mail. But it turned out to be impossible to export the certificate together with the private key. Is there a way to transfer the certificate to another machine so that it would be possible to decrypt mail? Or somehow get the private key?

Answer 1

Hi,

Welcome to the Microsoft Q&A platform!

You can try the following two ways:

1. Copy the source key file to a new computer:

Run if you don't know the SID of the user:

$cert = Get-ChildItem Cert:\CurrentUser\My | Where {$_.Subject -match “user name”}
$keyContainer = $cert.PrivateKey.CspKeyContainerInfo.UniqueKeyContainerName

Copy the key file:

$sourcePath = “C:\ProgramData\Microsoft\Crypto\RSA\User SID\$keyContainer”
Copy-Item $sourcePath -Destination “\\\ New Computer\C$\Temp\” -Force

Import on new computer

$destPath = “C:\ProgramData\Microsoft\Crypto\RSA\User SID\”
robocopy “C:\Temp” $destPath $keyContainer /SEC

2. The administrator reissues the exportable certificate through the CA. Copy the existing template in the CA console, check “Allow private key export” in the “Request Processing” tab, and issue a new version of the template.

---

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".