Restoring a Certificates Private Key without the CertReq

I had a client issue a CertReq awhile ago and forgot to publish this post from a SharePoint 2007 created IIS Virtual Server being used for Staging and when the WebApp was removed, the choice to delete the IIS Virtual Server was chosen though the Content Db was not.

Since IIS had lost the link to the CertReq and it had to be reestablished in order to mark the private keys as exportable… You can still use the Cert from the response but without the keys it’s not exportable to another server.

Best practice would be to use the Default IIS Virtual Server, since it should never be removed and on a system where there is not activity, import the response, export and protect with a password to be used again.

To assign the existing private key to a new certificate, you must use the Microsoft Windows Server 2003 version of Certutil.exe.

There are two ways to recover the certificate:


CERTUTIL is the built-in Command Line tool to administer a Windows 2003 CA from the command line. CERTUTIL has several switches for CA administration and Key Recovery.

KRT.EXE  The Key Recovery Tool (KRT.EXE) is a new tool which is part of the Windows Server 2003 Resource Kit Utilities. KRT is a GUI extension for the builtin Windows 2003 CA tool CERTUTIL. In this article, we will use the Key Recovery Tool (KRT).


  • 1. Log on to the computer that issued the certificate request by using an account that has administrative permissions.
  • 2. Click Start, click Run, type mmc, and then click OK.
  • 3. On the File menu, click Add/Remove Snap-in.
  • 4. In the Add/Remove Snap-in dialog box, click Add.
  • 5. Click Certificates, and then click Add.
  • 6. In the Certificates snap-in dialog box, click Computer account, and then click Next.
  • 7. In the Select Computer dialog box, click Local computer: (the computer this console is running on), and then click Finish.
  • 8. Click Close, and then click OK.
  • 9. In the Certificates snap-in, expand Certificates, right-click the Personal folder, point to All Tasks, and then click Import.
  • 10. On the Welcome to the Certificate Import Wizard page, click Next.
  • 11. On the File to Import page, click Browse.
  • 12. In the Open dialog box, click the new certificate, click Open, and then click Next.
  • 13. On the Certificate Store page, click Place all certificates in the following store, and then click Browse.
  • 14. In the Select Certificate Store dialog box, click Personal, click OK, click Next, and then click Finish.
  • 15. In the Certificates snap-in, double-click the imported certificate that is in the Personal folder.
  • 16. In the Certificate dialog box, click the Details tab.
  • 17. Click Serial Number in the Field column of the Details tab, highlight the serial number, and then write down the serial number.
  • 18. Click Start, click Run, type cmd, and then click OK.
  • 19. At the command prompt, type the following:

certutil -repairstore my serial# from item 17

Note: KRT works with a Microsoft CA. By default CertUtil defaults to using a CA and not the local Store. I haven’t tried to use the certutil -store command then using KRT this may work?


Technorati Tags: ,,

No comments yet. Be the first.

Leave a Reply