The case of accidentally deleted user certificates

PKI Solutions Logo

As part of joining PKI Solutions, several blog posts from my old site are re-posted here for visibility and thoroughness.

Sometimes users accidentally delete their certificates from personal store. After that users are not able to perform certificate-based tasks, i.e. decrypt files or mail, sign data and authenticate. Some organizations implement Key Archival for certificate and private key recovery. But some organizations do not. Even key archival is enabled, it is not always required. In our case user just deleted certificate from personal store. Let’s look to a private key storage background.

When the system generates public and private keys, they are stored separately. Public key is stored in registry, but private keys are stored in the following locations:

  • User certificates (RSA keys)

%APPDATA%\Microsoft\Crypto\RSA\UserSID

  • User certificates (CNG keys)

%APPDATA%\Microsoft\Crypto\Keys

  • Computer certificates (RSA keys)

%ALLUSERSPROFILE%\Application Data\Microsoft\Crypto\RSA\S-1-5-18

  • Computer certificates (CNG keys)

%ALLUSERSPROFILE%\Microsoft\Crypto\SystemKeys

When you remove certificate from Certificates MMC snap-in or by using other means (certutil, or other programming APIs such X509Store .NET class) only registry entry is removed. No associated private keys are deleted. Look at a simple example:

When you run ‘certutil –store’ command (in my case for particular certificate) it tries to get certificate associated private key file name (see for “Unique container name” section). Once it is done I just checked whether this file exist in the above mentioned path for user store. When I delete this certificate, private key remains. As the result if you have public part of this certificate (it can be found in userCertificates Active Directory user account attributes, or in Certification Authority database.

Ok, now we need to retrieve a public part of this certificate. For example from CA server. On client run the following command:

certreq -config "CAComputerName\CAName" -retrieve 351 usercert.cer

In this example 351 is request id (the first column in Certification Authority MMC snap-in) and usercert.cer is a output file name.

Now double-click on this file and install certificate to Personal store. When you look to a certificate it will say that there is no associated private key. So we need to re-associate imported certificate with existing private key by running the following command:

certutil -user -repairstore MY f9c009266036cd8c4c307fe47f356faa

where f9c009266036cd8c4c307fe47f356faa is a serial number of a certificate to restore:

Look to a message that encryption test is passed. Now you can check Certificates MMC snap-in for private key existence for this certificates.

About Vadims Podāns

Senior PKI Developer

11 Comments

  1. Darren on September 30, 2019 at 7:23 pm

    Thank you . Have a similar situation the user certificate was not deleted but unable to connect to Cisco ISE wifi . The fix is to request a new user certificate and the user was able to connect . The problem is the interim fix leads to multiple certificates on the client machine

    My question can a certificate become corrupt or aka bad certificate? And is there a way to validate perhaps command line?

  2. Vadims Podāns on October 2, 2019 at 7:07 am

    > My question can a certificate become corrupt or aka bad certificate?

    bad certificate and corrupted certificate are different things. Bad certificate often means that particular certificate is not valid for requested usages or cannot be validated as trusted. Corrupted certificate is that certificate data is corrupted and cannot be parsed. What do you mean?

    • Prashant on August 4, 2020 at 10:02 pm

      Hi,
      Have a similar situation Corrupted certificate is the issue and due to that i need to retrieve certificate from server.
      do you have any help or suggestiion

      • Vadims Podāns on August 6, 2020 at 10:58 am

        From what server? Can you share more details about your issue?

  3. rtr on February 9, 2021 at 7:04 am

    how to find who deleted the ssl certifcate in the windows 2016 server

    • Vadims Podāns on February 9, 2021 at 7:48 am

      I don’t know the easiest way to get this information. As of Current User\My store, then in 99.9% it is user itself (or app that runs under this particular account).

  4. Edoardo Beltramo on June 28, 2021 at 2:59 am

    Hello,

    by mistake I eliminated the 2 certificates for Shielded VM Local Certificates from my Hyper-V host
    I wanted to ask you if there is any chance to regenerate these 2 certificates

    Thanks, Edoardo

    • Vadims Podāns on June 28, 2021 at 3:01 am

      you need to get public copies of deleted certificates and then follow instructions in this article to re-associate them with private keys.

      • Edoardo Beltramo on June 28, 2021 at 3:20 am

        Follows what you wrote the public key should be stored in the registry
        I checked around, the registry location for the public key should be:

        Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Shielded VM Local Certificates\Certificates

        but it’s empty

        • Edoardo Beltramo on June 28, 2021 at 3:33 am

          My bad, its correct I see that after a certificate deletion the registry gets deleted too

          • Vadims Podāns on June 28, 2021 at 3:42 am

            you may need to contact your CA to get copies of public certificates.



Leave a Comment





This site uses Akismet to reduce spam. Learn how your comment data is processed.