Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Re: Exporting Computer Certificates

1,330 views
Skip to first unread message

Carsten Kinder [MSFT]

unread,
Nov 25, 2006, 5:51:59 PM11/25/06
to
> Where is it looking for the private Key and how can I check whether the
> key
> is there or not?

To specifically examine the association between a certificate and a key:

1) Export the certificate into a file
2) Verify the keys: certutil -v -verifykeys [CertificateFileFromStep1]

If you want to experiment with this command, use certutil -verifykeys -? for
more options.

To verify all certificates in a certain certificate store use
certutil -verifystore -?
To repair key associations or update certificate properties or the key
security descriptor, use certutil -repairstore -?
--
Carsten Kinder
Microsoft Services

This posting is provided "AS IS" with no warranties, and confers no rights.

Otte

unread,
Nov 27, 2006, 7:41:01 AM11/27/06
to
Carsten

Thanks for your reply. I have tried using Certutil to verify and then
repair the computer certificate and this is what I get;

certutil -v -verifystore my 61a79fae00000000004a
Certificate is valid
CertUtil: -verifystore command completed successfully.


certutil -v -repairstore my 61a79fae00000000004a
CertUtil: -repairstore command FAILED: 0x80090010 (-2146893808)
CertUtil: Access denied.

I am logged on as Domain Admin so I don't understand why I get Access denied
or what/where it is trying to access. I have also tried this on another
server but that works so the problem is confined to 1 server only.


Any help is greatly appreciated

Otte

Brian Komar [MVP]

unread,
Nov 27, 2006, 4:14:12 PM11/27/06
to
You also need to designate the CSP that was used to protect the
certificate when using -repairstore.

certutil -v -repairstore my 61a79fae00000000004a -csp "Microsoft Strong
Cryptographic Service Provider"

Brian

In article <FD6DA21E-6D04-46F1...@microsoft.com>,
Ot...@discussions.microsoft.com says...

Otte

unread,
Nov 28, 2006, 9:59:01 AM11/28/06
to
Thanks for your reply Brian, i tried the follwoing command;

certutil -repairstore -csp "Microsoft RSA SChannel Cryptographic Service
Provider" my 61a79fae00000000004a

amd got the following error back which i am now trying to resolve;

Missing stored keyset
CertUtil: -repairstore command FAILED: 0x80070057 (WIN32: 87)
CertUtil: The parameter is incorrect.


Regards

Otte

Brian Komar [MVP]

unread,
Nov 28, 2006, 10:51:24 AM11/28/06
to
It is a finicky command (order is important)
This works at a customer site:
certutil -f -csp "Microsoft RSA SChannel Cryptographic Service
Provider" -repairstore my "61 a7 9f ae 00 00 00 00 00 4a"

Note that I do not remove the spaces from the serial number, and that
the csp is declared before the -repairstore option

brian

In article <9AC44233-EC66-471B...@microsoft.com>,
Ot...@discussions.microsoft.com says...

Otte

unread,
Nov 30, 2006, 7:45:02 AM11/30/06
to
Brian

Thanks or the suggestion. I have run the command as you suggested below and
have also tried many differnet orders but alwys get the same result;

0 new messages