Sometimes users accidentally delete their certificates from personal store. After that users are not able to perform certificate-based tasks, i.e. decrypt files or mail, sign data and authenticate. Some organizations implement Key Archival for certificate and private key recovery. But some organizations do not. Even key archival is enabled, it is not always required. In our case user just deleted certificate from personal store. Let’s look to a private key storage background.

When the system generates public and private keys, they are stored separately. Public key is stored in registry, but private keys are stored in the following locations:

  • User certificates (RSA keys)

%APPDATA%\Microsoft\Crypto\RSA\UserSID

  • User certificates (CNG keys)

%APPDATA%\Microsoft\Crypto\Keys

  • Computer certificates (RSA keys)

%ALLUSERSPROFILE%\Application Data\Microsoft\Crypto\RSA\S-1-5-18

  • Computer certificates (CNG keys)

%ALLUSERSPROFILE%\Microsoft\Crypto\SystemKeys

When you remove certificate from Certificates MMC snap-in or by using other means (certutil, or other programming APIs such X509Store .NET class) only registry entry is removed. No associated private keys are deleted. Look at a simple example:

[↓] [vPodans] certutil -store -user my f9c009266036cd8c4c307fe47f356faa
my
================ Certificate 4 ================
Serial Number: f9c009266036cd8c4c307fe47f356faa
Issuer: CN=vPodans
 NotBefore: 16.04.2009. 11:04
 NotAfter: 23.03.2109. 11:04
Subject: CN=vPodans
Signature matches Public Key
Root Certificate: Subject matches Issuer
Template:
Cert Hash(sha1): 90 da 9f 10 2d 09 1d e2 7a fc 09 2b 72 12 e9 41 18 d5 b7 b2
  Key Container = {5F5DD854-CC3B-4F6F-8B99-89FB55FFB67D}
  Unique container name: 89a3fdb59f7870ac900a6c61cfdea3a0_74659c6a-d4ff-4c5d-acde-0ce27b655f0a
  Provider = Microsoft Enhanced Cryptographic Provider v1.0
Encryption test passed
CertUtil: -store command completed successfully.
[↓] [vPodans] get-item $env:appdata\Microsoft\Crypto\RSA\S-1-5-21-488871540-1024398642-2926345389-1000\89a3fdb59f7870ac9
00a6c61cfdea3a0_74659c6a-d4ff-4c5d-acde-0ce27b655f0a


    Directory: C:\Users\vPodans\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-488871540-1024398642-2926345389-1000


Mode                LastWriteTime     Length Name
----                -------------     ------ ----
-a--s       08.09.2009.     13:56       2251 89a3fdb59f7870ac900a6c61cfdea3a0_74659c6a-d4ff-4c5d-acde-0ce27b655f0a


[↓] [vPodans]

When you run ‘certutil –store’ command (in my case for particular certificate) it tries to get certificate associated private key file name (see for “Unique container name” section). Once it is done I just checked whether this file exist in the above mentioned path for user store. When I delete this certificate, private key remains. As the result if you have public part of this certificate (it can be found in userCertificates Active Directory user account attributes, or in Certification Authority database.

Ok, now we need to retrieve a public part of this certificate. For example from CA server. On client run the following command:

certreq -config "CAComputerName\CAName" -retrieve 351 usercert.cer

In this example 351 is request id (the first column in Certification Authority MMC snap-in) and usercert.cer is a output file name.

Now double-click on this file and install certificate to Personal store. When you look to a certificate it will say that there is no associated private key. So we need to re-associate imported certificate with existing private key by running the following command:

certutil -user -repairstore MY f9c009266036cd8c4c307fe47f356faa

where f9c009266036cd8c4c307fe47f356faa is a serial number of a certificate to restore:

[↓] [vPodans] certutil -user -repairstore MY f9c009266036cd8c4c307fe47f356faa
MY
================ Certificate 4 ================
Serial Number: f9c009266036cd8c4c307fe47f356faa
Issuer: CN=vPodans
 NotBefore: 16.04.2009. 11:04
 NotAfter: 23.03.2109. 11:04
Subject: CN=vPodans
Signature matches Public Key
Root Certificate: Subject matches Issuer
Template:
Cert Hash(sha1): 90 da 9f 10 2d 09 1d e2 7a fc 09 2b 72 12 e9 41 18 d5 b7 b2
  Key Container = {28784BDD-2895-462F-8D59-AAB75BA4AEB3}
  Unique container name: 36156aba82aac9a7c4cb75ae06f5dfda_74659c6a-d4ff-4c5d-acde-0ce27b655f0a
  Provider = Microsoft Enhanced Cryptographic Provider v1.0
Encryption test passed
CertUtil: -repairstore command completed successfully.
[↓] [vPodans]

Look to a message that encryption test is passed. Now you can check Certificates MMC snap-in for private key existence for this certificates.


Share this article:

Comments:

Matthias L.
Matthias L. 16.06.2013 00:38 (GMT+3) The case of accidentally deleted user certificates

Hi Vadims, If the deleteion of a certificate in MMC doesnt't delete the private key - which procedure do you recommend to completly destroy the keys in a comfortable manner?

Vadims Podans
Vadims Podans 16.06.2013 06:07 (GMT+3) The case of accidentally deleted user certificates

You can delete private key file manually. Alternatively you can export certificate to a PFX, there is an option to delete private key after export (of course, if private key is allowed for export operations). Also, there is CryptDestroyKey function, but I'm not sure if this is the right function to delete private key material.

toluz
toluz 18.01.2014 01:05 (GMT+3) The case of accidentally deleted user certificates

I had problem with "certreq -config "CAComputerName\CAName" -retrieve 351 usercert.cer" I had no access, but i asked my administrator to export my certificate manualy from CA and to send it to me. This works for me. This was very helpful article, thanks

Patrice
Patrice 14.06.2016 12:16 (GMT+3) The case of accidentally deleted user certificates

Thank you very much !

Marius
Marius 22.10.2016 01:00 (GMT+3) The case of accidentally deleted user certificates

Man, you saved me !!!!

Paldies very much.

John W
John W 24.12.2016 22:46 (GMT+3) The case of accidentally deleted user certificates

Windows 10 user here. Somehow my user account has a different certificate now, and I can not access any files in my system. I get "Access Denied" when tryig to do anything with the files. I can see them but nothing else is allowed. I did not know the system needed to have certificates backed up. I recently used PowerShell to run SFC/Scanow to get back my windows start menu. I also ran a command reccommended by PC World (3 fixes for a dead windows start menu) suggested to get the menu working. That was successful, but now I dont have access to my files, and I think the certificate was replaced doing something I described.  Is there a way to retrieve the old certificates using explorer, from a system back up or restore point?

Vadims Podāns
Vadims Podāns 24.12.2016 23:02 (GMT+3) The case of accidentally deleted user certificates

If you have systems backup, you can restore it on a temporary machine and explore the certificate in the certificate store (via Certificates MMC).

Hendre
Hendre 12.10.2017 13:49 (GMT+3) The case of accidentally deleted user certificates

Hi. Do you know how to perform this procedure on Widows 10? I do not know how to retrieve my public key:

certreq -config "CAComputerName\CAName" -retrieve 351 usercert.cer
What will the CACompanyName\CAName be on a Windows 10 machine tot connected to a domain?

Vadims Podāns
Vadims Podāns 12.10.2017 14:10 (GMT+3) The case of accidentally deleted user certificates

The procedures are the same for Windows 10. If you are disconnected from domain/CA, you should ask your systems administrator to extract a certificate from CA database and send it to you.

Hendre
Hendre 12.10.2017 15:38 (GMT+3) The case of accidentally deleted user certificates

Hi Vadims. I am not connected to a corporate network and do not have a systems administrator. I created the file encryption key on a standalone Windows 10 PC. How do I access the CA database to extract the public key?

Vadims Podāns
Vadims Podāns 12.10.2017 16:13 (GMT+3) The case of accidentally deleted user certificates

If you created a key on a standalone Windows box, then it is just a simple self-signed certificate. No CA is involved and you have to search for certificate elsewhere else. Maybe, in other containers in Windows Certificate store. 

Matthias Raffel
Matthias Raffel 12.12.2017 22:29 (GMT+3) The case of accidentally deleted user certificates

just a hint, the icon of the certificate have a little key picture build in, this can be used to check very quick if you have a „connected“ correspondend private key to the displayed certificate. for example compare root certificate icon with a user or computer certificate.

Stan Kaminski
Stan Kaminski 05.02.2019 15:09 (GMT+3) The case of accidentally deleted user certificates

Hi Vadims. Is there a way to bulk erase all lone private keys? I did some experiments on my PC which left me with hundreds of them that can be safely destroyed.

Vadims Podāns
Vadims Podāns 05.02.2019 18:54 (GMT+3) The case of accidentally deleted user certificates

> Is there a way to bulk erase all lone private keys?

it is quite tricky. You will need to enumerate all certificates in a desired certificate store and collect information about private keys. Then you can enumerate all key files (or better, query all cryptographic providers and keys inside them) and check if particular key belongs to any active certificate. If there is no match, then non-matching key is a candidate for deletion. That's all I can suggest at this point.


Post your comment:

Please, solve this little equation and enter result below. Captcha