Partilhar via


Keys lost and found: How to recover certificate lost private keys

For whatever reason, certificate private keys keep getting lost. This is annoying specially to grumpy devs.

The symptoms are clear: when you open certml.msc (machine) or certmgr.msc (user):

privatekeys

Fortunately the answer is in certutil.exe. Here are the steps:

  • Localize the certificate in Powershell in admin mode. Do "cd cert:" and then recursively traverse your certificates using let's say, your thumbprint:
    $found = ls -r | where { $_.Thumbprint -like 'TTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTT'}
  • Get the serial number of the certificate:
    $found[0].SerialNumber
  • Grab the serial number and feed it to certutil with the following args:
    certutil –repairstore my SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS

On success you should see some of your certificate info finishing with: "CertUtil: -repairstore command completed successfully."

Then, to keep your certificate and key safe, use the Certificates module in the Microsoft Management Console or Export-PfxCertificate Powershell cmdlet to export the certificate with its private key into a .pfx file.

Done! refer to the certutil documentation for more info.

Happy coding!