Skip to content

The case of accidentally deleted user certificates

As part of joining PKI Solutions, several blog posts from my old site are re-posted here for visibility and thoroughness.

Sometimes users accidentally delete their certificates from personal store. After that users are not able to perform certificate-based tasks, i.e. decrypt files or mail, sign data and authenticate. Some organizations implement Key Archival for certificate and private key recovery. But some organizations do not. Even key archival is enabled, it is not always required. In our case user just deleted certificate from personal store. Let’s look to a private key storage background.

When the system generates public and private keys, they are stored separately. Public key is stored in registry, but private keys are stored in the following locations:

  • User certificates (RSA keys)

%APPDATA%\Microsoft\Crypto\RSA\UserSID

  • User certificates (CNG keys)

%APPDATA%\Microsoft\Crypto\Keys

  • Computer certificates (RSA keys)

%ALLUSERSPROFILE%\Application Data\Microsoft\Crypto\RSA\S-1-5-18

  • Computer certificates (CNG keys)

%ALLUSERSPROFILE%\Microsoft\Crypto\SystemKeys

When you remove certificate from Certificates MMC snap-in or by using other means (certutil, or other programming APIs such X509Store .NET class) only registry entry is removed. No associated private keys are deleted. Look at a simple example:

When you run ‘certutil –store’ command (in my case for particular certificate) it tries to get certificate associated private key file name (see for “Unique container name” section). Once it is done I just checked whether this file exist in the above mentioned path for user store. When I delete this certificate, private key remains. As the result if you have public part of this certificate (it can be found in userCertificates Active Directory user account attributes, or in Certification Authority database.

Ok, now we need to retrieve a public part of this certificate. For example from CA server. On client run the following command:

certreq -config "CAComputerName\CAName" -retrieve 351 usercert.cer

In this example 351 is request id (the first column in Certification Authority MMC snap-in) and usercert.cer is a output file name.

Now double-click on this file and install certificate to Personal store. When you look to a certificate it will say that there is no associated private key. So we need to re-associate imported certificate with existing private key by running the following command:

certutil -user -repairstore MY f9c009266036cd8c4c307fe47f356faa

where f9c009266036cd8c4c307fe47f356faa is a serial number of a certificate to restore:

Look to a message that encryption test is passed. Now you can check Certificates MMC snap-in for private key existence for this certificates.

2 Comments

  1. Avatar Darren on September 30, 2019 at 7:23 pm

    Thank you . Have a similar situation the user certificate was not deleted but unable to connect to Cisco ISE wifi . The fix is to request a new user certificate and the user was able to connect . The problem is the interim fix leads to multiple certificates on the client machine

    My question can a certificate become corrupt or aka bad certificate? And is there a way to validate perhaps command line?

  2. Vadims Podāns Vadims Podāns on October 2, 2019 at 7:07 am

    > My question can a certificate become corrupt or aka bad certificate?

    bad certificate and corrupted certificate are different things. Bad certificate often means that particular certificate is not valid for requested usages or cannot be validated as trusted. Corrupted certificate is that certificate data is corrupted and cannot be parsed. What do you mean?

Leave a Comment





This site uses Akismet to reduce spam. Learn how your comment data is processed.

Scroll To Top