Schedule a Demo
Blog August 2, 2019 Certificates, Certutil, Cryptographic Keys

The case of accidentally deleted user certificates

by Vadims Podāns

As part of joining PKI Solutions, several blog posts from my old site are re-posted here for visibility and thoroughness.

Sometimes users accidentally delete their certificates from personal store. After that users are not able to perform certificate-based tasks, i.e. decrypt files or mail, sign data and authenticate. Some organizations implement Key Archival for certificate and private key recovery. But some organizations do not. Even key archival is enabled, it is not always required. In our case user just deleted certificate from personal store. Let’s look to a private key storage background.

When the system generates public and private keys, they are stored separately. Public key is stored in registry, but private keys are stored in the following locations:

  • User certificates (RSA keys)

%APPDATA%\Microsoft\Crypto\RSA\UserSID

  • User certificates (CNG keys)

%APPDATA%\Microsoft\Crypto\Keys

  • Computer certificates (RSA keys)

%ALLUSERSPROFILE%\Application Data\Microsoft\Crypto\RSA\S-1-5-18

  • Computer certificates (CNG keys)

%ALLUSERSPROFILE%\Microsoft\Crypto\SystemKeys

When you remove certificate from Certificates MMC snap-in or by using other means (certutil, or other programming APIs such X509Store .NET class) only registry entry is removed. No associated private keys are deleted. Look at a simple example:


When you run ‘certutil –store’ command (in my case for particular certificate) it tries to get certificate associated private key file name (see for “Unique container name” section). Once it is done I just checked whether this file exist in the above mentioned path for user store. When I delete this certificate, private key remains. As the result if you have public part of this certificate (it can be found in userCertificates Active Directory user account attributes, or in Certification Authority database.

Ok, now we need to retrieve a public part of this certificate. For example from CA server. On client run the following command:

certreq -config "CAComputerName\CAName" -retrieve 351 usercert.cer

In this example 351 is request id (the first column in Certification Authority MMC snap-in) and usercert.cer is a output file name.

Now double-click on this file and install certificate to Personal store. When you look to a certificate it will say that there is no associated private key. So we need to re-associate imported certificate with existing private key by running the following command:

certutil -user -repairstore MY f9c009266036cd8c4c307fe47f356faa

where f9c009266036cd8c4c307fe47f356faa is a serial number of a certificate to restore:

Look to a message that encryption test is passed. Now you can check Certificates MMC snap-in for private key existence for this certificates.

Related Resources

  • Blog
    March 7, 2024

    Why you are getting it wrong with Certificate Lifecycle Management

    Certificate Management, Certificates, CLM
  • Blog
    March 7, 2024

    PKI Insights – Avoiding PenTest Pitfalls

    Certificates, PKI, PKI Insights
  • Blog
    February 6, 2024

    PKI Insights Recap – Microsoft Intune Cloud PKI

    BYOD, Certificates, Cloud, Enrollment, NDES

Vadims Podāns

PKI Software Architect

View All Posts by Vadims Podāns

Comments

  • Thank you . Have a similar situation the user certificate was not deleted but unable to connect to Cisco ISE wifi . The fix is to request a new user certificate and the user was able to connect . The problem is the interim fix leads to multiple certificates on the client machine

    My question can a certificate become corrupt or aka bad certificate? And is there a way to validate perhaps command line?

  • > My question can a certificate become corrupt or aka bad certificate?

    bad certificate and corrupted certificate are different things. Bad certificate often means that particular certificate is not valid for requested usages or cannot be validated as trusted. Corrupted certificate is that certificate data is corrupted and cannot be parsed. What do you mean?

    • Hi,
      Have a similar situation Corrupted certificate is the issue and due to that i need to retrieve certificate from server.
      do you have any help or suggestiion

    • I don’t know the easiest way to get this information. As of Current User\My store, then in 99.9% it is user itself (or app that runs under this particular account).

  • Hello,

    by mistake I eliminated the 2 certificates for Shielded VM Local Certificates from my Hyper-V host
    I wanted to ask you if there is any chance to regenerate these 2 certificates

    Thanks, Edoardo

    • you need to get public copies of deleted certificates and then follow instructions in this article to re-associate them with private keys.

      • Follows what you wrote the public key should be stored in the registry
        I checked around, the registry location for the public key should be:

        Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Shielded VM Local Certificates\Certificates

        but it’s empty

Leave a Reply

Your email address will not be published. Required fields are marked *