Certutil -getkey requires administrator? Not always.

October 14, 2012 · 0 comments

1 Star2 Stars3 Stars4 Stars5 Stars (1 votes, average: 1.00 out of 5)

Recently, I had the need to export a certificate with it’s key.  However, by default, we automatically issue computer certificates to every computer in our domain, but without the ability to export them with their key for security reasons.  I had one of my administrators do a little research and document how we could recover these keys as needed.  So, the solution was the following:

  1. Logon the the computer in question and get the serial number of it’s computer certificate
  2. Logon to one of the issuing certificate authority (CA) servers and open a command prompt;
  3. In the command prompt window, type:
    • Certutil -getkey <serialnumber> output-file
    • Note: “output-file” is a PKCS#7 file that contains the key recovery agent certificates and the certificate and chain. The inner content is an encrypted PKCS#7 file containing the private key.
  4. Transfer the output-file to secured server with the certificate(s) of a key recovery agent
  5. Open a command prompt and run the following command
    • certutil -recoverykey output-file certificate-file.pfx
    • enter a password and repeat when prompted
  6. Copy the restore .pfx file to the computer where the key is needed

When I got to step #3, I was blocked with a response that said,

CertUtil: -GetKey command FAILED: 0x80070005 (WIN32: 5)
CertUtil: Access is denied.

I thought that was strange as I am a domain administrator after all.  I read various articles like this one that indicated I had to run the command prompt as an Administrator due to User Access Control (UAC).  There were also suggestions about having the a Backup Operator or Certification Authority Administrator.  The latter did not prove to be correct in my testing, but running the command prompt as Administrator did the trick.

But not so fast.  It turns out we have two issuing CA systems.  So, I retraced my steps on the second server.  Surprise!  It worked without any errors.  As it turns out, a domain administrator can get the key of any computer or user from a remote issuing CA but not from a  local one.  So, if CA1 issues a certificate to PC1 and CA2 issues a certificate to  PC2, then a domain administrator can get the key for PC2 from CA1 without running the command line as an administrator, but must run as administrator to get the key for PC1 from CA1.  Of course, the opposite is also true — a domain administrator can get the key for PC1 from CA2 without running the command line as an administrator, but must run as administrator to get the key for PC2 from CA2.  This also works for user certificates as well.

I don’t know why this works this way, but if anyone has an idea or answer, please submit it here for everyone.

Enhanced by Zemanta

Article by Steve Van Domelen

Steve has written 47 awesome articles.

Previous post:

Next post: