Question : Windows 2008 certutil -keyrecover fails when I try to recover a key.

AD CS setup: Offline Root, Enterprise Subordinate (Win 2008 Enterprise)
I followed a "MS certificate services example implementation: key archival and recovery" in a test environment and it worked ok. I tried the same thing in production and it fails.
Steps:
1) Configure a Key Recovery Template, Issue Template
2) Issue a certificate to my Domain Admin account using the template.
3) Configure Enterprise Subordinate CA to use certificate created above as a Recovery Agent.
4) Create a Archive User template that allows key archiving, Issue template.
5) Create a Keytest account and issue Archive User template to Keytest user.
6) Write down serial number of the Archive user certificate issued to Keytest user.
7) From Enterprise Subordinate CA, run Certutil -getkey serial-number outputblob
This is where it fails:
8) run Certutil -recoverkey outputblob keytest.pfx

Key recovery requires one of the following certificates and its private key:

Recipient Info[0]:
CMSG_KEY_TRANS_RECIPIENT(1)
CERT_ID_ISSUER_SERIAL_NUMBER(1)
Serial Number: xxxxxxxxxxxxxxxxxxx
Issuer: CN=EntSub-CA, DC=Company, DC=com
Subject: CN=admin, OU=Domain Administrators, OU=Servers, DC=Company
, DC=com
CertUtil: -RecoverKey command FAILED: 0x8009200c (-2146885620)
CertUtil: Cannot find the certificate and private key to use for decryption.

I have verified that the certificate that is required is the same certificate as in step 2 above. When I check Certificates - Local User - Personal - I see the certificate.

Does anyone have any suggestions or process on how to resolve this issue?

Thanks...

Answer : Windows 2008 certutil -keyrecover fails when I try to recover a key.

Did you restart certificate services after configuring the KRA to the CA?

Is the private key still there? Try getting rid of the private key to properly simulate - the existence of it may be getting in the way. Try testing this on a workstation instead of on the CA.

Was on vacation last week - are you still having issues with this?

Random Solutions

VBA Report Recordsource Issue/Question

Trying to write to MSMQ but no messages going in

Parent / Child Relationship - Viewing and editing - MS Access

VB Bindingsource checking if records have been edited

RPC to DC not working error 1722

Laptop will not come out of standby

need to union a select statement

Java issues with IE8, also can't install Firefox or Chrome

Replacing CreateDIBSection with CBitmap