CERTUTIL Archival/Recovery

Certutil tasks for key archival and recovery.

Syntax

CERTUTIL [-getkey] [/?]

To retrieve an archived private key recovery blob:
CERTUTIL -getkey [-f] [-gmt] [-seconds] [-v] search_token [recovery_blob_output_file]

Parameters

pfx_output_file (NT2003): Specifies the file where you want to save the recovered key and associated PKCS #12 certificate.
recipient_index (NT2003): Specifies the index of the key recovery agent (KRA) certificate to be used for decrypting the private key blob. If omitted, tries all of the KRA certificates.
recovery_blob_input_file (NT2003): Specifies the input file that contained the recovery blob retrieved from the CA.
recovery_blob_output_file (NT2003): Specifies the output file containing a certificate chain and an associated private key, still encrypted to one or more key recovery agent (KRA) certificates.
search_token (NT2003): Specifies the keys and certificates that you want to recover.; Can be a certificate common name, a certificate serial number, a certificate Secure Hash Algorithm (SHA-1) hash, a requester name, or a user principal name (UPN).

Switches

/? (NT2003): Display help.
-f (NT2003): Overwrites existing files or keys.
-getkey (NT2003): Retrieves the archived private key.
-gmt (NT2003): Displays time as Greenwich mean time.
-p password (NT2003): Specifies a password.; The maximum length allowed for a PFX file password is 32 characters.
-recoverkey (NT2003): Recovers the archived private key.
-seconds (NT2003): Displays time with seconds and milliseconds.
-split (NT2003): Splits the embedded Abstract Syntax Notation One (ASN.1) elements, and saves them to files.
-user (NT2003): Uses the HKEY_CURRENT_USER keys or certificate store.
-v (NT2003): Specifies verbose output.

Notes

none.

Examples

none.

Errorlevels

none.

Availability

External

Last Updated: 2003/07/28
Direct corrections or suggestions to: Rick Lively