Hi guys, After searching a while on the internet. I will post my question here. I'm trying to get a key from a certificate. So i enter this command in command prompt. certutil -getkey <serial_number> outputblob with <serial_number> the serial number of the specific certificate. Now the anwser I get is : Recover blobs retrieved :0 CertUtil: -GetKey command FAILED: 0X80094004 (-2146877436) CertUtil: The requested property value is empty. What does this mean? Jelle

this means that this certificate was not processed via key archival mechanism. Private key associated with this certificate is not stored in CA database and cannot be recovered.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Check out new: PowerShell FCIV tool.

But when i open the MMC snap-in Certificate Authority and I look at issued certificates in the column Archived Keys it stands on YES. So it is processed via key archival mechanism or isn't it? Thanks for the reply

What format are you using for the serial number? You must either remove the spaces or surround the string with quotes. Finally, are you logged in to the CA as a person assigned Issue and Manage Certificates? This is the required permissions to run the -getkey option Brian

Hi, i have removed the spaces and also surrounded it with quotes and it is the person assigned to issue, manage and recover key/certificates. So I really don't know what's going on. Anyway, thanks for the reply. certutil -getkey 2900001c1c77578304f64d3400000000001c outputblob and certutil -getkey "29 00 00 1c 1c 77 57 83 04 f6 4d 34 00 00 00 00 00 1c" outputblob

I'm trying this without the key is lost, could this be the problem? Do I have to delete the key?

Okay, I have checked the security tab from my CA and the group where my account was in had Issue and manage Certificates rights but i added my account to the security tab and give it those rights. I restarted the certsvc and it worked. So I don't really know why it wouldn't work in the first time because my user was added to the group who had those rights. Anyway, problem solved. thanks for the replies! Jelle

Basic group membership. Did you log off and log on so that the group mechanism was recognized? Brian

Hmm, I didn't log off I think. So that would be the problem then.. Jelle