Subsequent archiving of private keys

For the encryption of e-mail messages, companies usually use the Secure / Multipurpose Internet Message Extensions (S/MIME) standard and provide their users with appropriate certificates for this purpose.

An important aspect here is that the users' private keys should be secured centrally - in contrast to the signature certificates that are otherwise mostly used. Incoming messages are encrypted for a specific private key and can only be decrypted again by the same person. Thus a backup of these keys must absolutely be available - also for the Synchronization to mobile devices this is indispensable. For this purpose, the Microsoft Active Directory Certificate Services offer the function of the Private Key Archival.

But what if private key archiving has not been set up and users have already applied for corresponding certificates?

Fortunately, it is possible to archive private keys - albeit with corresponding effort - even after the fact.

Prerequisite for this are:

  • At least one valid Key Recovery Agent certificate has been set up on the corresponding certificate authority.
  • The private keys were exported from the user profiles and are available as PKCS#12 (PFX) file including password.

The import into the certification authority can then be done with the following command:

certutil [-p {password>] -importKMS {filename-PFX}

Related links:

External sources