Hi,I currently have a 2008 AD CS setup with an offline root and an entrprise subordinate CA. I am testing out key recovery on the EntCA.I found a articleCertificate Services example implementation: Key archival and recoveryhttp://technet.microsoft.com/en-us/library/cc781351.aspxon how to do this. I was following the process and everything works until Task 6, step 3.b. When runningcertutil -user -recoverkey outputblob keytest.pfx it fails with the following error:CertUtil: -RecoverKey command FAILED: 0x8009200c (-2146885620)CertUtil: Cannot find the certificate and private key to use for decryption.While searching the internetfor an answer I saw someone who had the exact same problem however no answer was provided.Does anyone have any ideas how to resolve this? or a checklist or process that works?Thanks,Craig

It sounds like the Key Recovery Agent certificate and private key are not loaded in your profile. To perform the recovery, you must have the cert and its key available.When you run the certutil -getkey which creates the outputblob file, did you take note of the thumbprint of the certificate that is the KRA for the encryption/decryption process. This is the certificate that you must have in the local profile for the recovery operation.Brian

Make sure that KRA_agent membership and has enough priviledges. Happened to me the same thing. After adding kra user as an ADMIN DOMAIN it worked just fine Hope it works for you Omar