As part of joining PKI Solutions, several blog posts from my old site are re-posted here for visibility and thoroughness.
Sometimes users accidentally delete their certificates from personal store. After that users are not able to perform certificate-based tasks, i.e. decrypt files or mail, sign data and authenticate. Some organizations implement Key Archival for certificate and private key recovery. But some organizations do not. Even key archival is enabled, it is not always required. In our case user just deleted certificate from personal store. Let’s look to a private key storage background.
When the system generates public and private keys, they are stored separately. Public key is stored in registry, but private keys are stored in the following locations:
%APPDATA%\Microsoft\Crypto\RSA\UserSID
%APPDATA%\Microsoft\Crypto\Keys
%ALLUSERSPROFILE%\Application Data\Microsoft\Crypto\RSA\S-1-5-18
%ALLUSERSPROFILE%\Microsoft\Crypto\SystemKeys
When you remove certificate from Certificates MMC snap-in or by using other means (certutil, or other programming APIs such X509Store .NET class) only registry entry is removed. No associated private keys are deleted. Look at a simple example:
When you run ‘certutil –store’ command (in my case for particular certificate) it tries to get certificate associated private key file name (see for “Unique container name” section). Once it is done I just checked whether this file exist in the above mentioned path for user store. When I delete this certificate, private key remains. As the result if you have public part of this certificate (it can be found in userCertificates Active Directory user account attributes, or in Certification Authority database.
Ok, now we need to retrieve a public part of this certificate. For example from CA server. On client run the following command:
certreq -config "CAComputerName\CAName" -retrieve 351 usercert.cer
In this example 351 is request id (the first column in Certification Authority MMC snap-in) and usercert.cer is a output file name.
Now double-click on this file and install certificate to Personal store. When you look to a certificate it will say that there is no associated private key. So we need to re-associate imported certificate with existing private key by running the following command:
certutil -user -repairstore MY f9c009266036cd8c4c307fe47f356faa
where f9c009266036cd8c4c307fe47f356faa is a serial number of a certificate to restore:
Look to a message that encryption test is passed. Now you can check Certificates MMC snap-in for private key existence for this certificates.
Thank you . Have a similar situation the user certificate was not deleted but unable to connect to Cisco ISE wifi . The fix is to request a new user certificate and the user was able to connect . The problem is the interim fix leads to multiple certificates on the client machine
My question can a certificate become corrupt or aka bad certificate? And is there a way to validate perhaps command line?
> My question can a certificate become corrupt or aka bad certificate?
bad certificate and corrupted certificate are different things. Bad certificate often means that particular certificate is not valid for requested usages or cannot be validated as trusted. Corrupted certificate is that certificate data is corrupted and cannot be parsed. What do you mean?
Hi,
Have a similar situation Corrupted certificate is the issue and due to that i need to retrieve certificate from server.
do you have any help or suggestiion
From what server? Can you share more details about your issue?
how to find who deleted the ssl certifcate in the windows 2016 server
I don’t know the easiest way to get this information. As of Current User\My store, then in 99.9% it is user itself (or app that runs under this particular account).
Hello,
by mistake I eliminated the 2 certificates for Shielded VM Local Certificates from my Hyper-V host
I wanted to ask you if there is any chance to regenerate these 2 certificates
Thanks, Edoardo
you need to get public copies of deleted certificates and then follow instructions in this article to re-associate them with private keys.
Follows what you wrote the public key should be stored in the registry
I checked around, the registry location for the public key should be:
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Shielded VM Local Certificates\Certificates
but it’s empty
My bad, its correct I see that after a certificate deletion the registry gets deleted too
you may need to contact your CA to get copies of public certificates.
Schedule a Demo
