Hi All, I am attempting to recover a private key for one of our users. We have 1 KRA specified in our infrastructure. I have verified that the KRA is listed in the KRA Container in AD as well as in the local computer store (KRA) on the CA. When i issue the following command "certutil -config CANAME\Issuing-CA-01 -v -getkey 12345678901234567890" i get the error "CertUtil: -GetKey command FAILED: 0x80092004 (-2146885628) CertUtil: Cannot find object or property." Research of this error points to the lack of the KRA certificate existing in the HKLM\KRA Store on the CA. I have verified that the cert does in fact exist in the KRA Store on the CA and that the serial number and hash matches the certificate as well as the certificate that is published in the KRA Container in AD. When i run the following command to list the certs in the KRA store on the CA, 1 cert is found (as expected) "C:\Users\User>certutil -store KRA KRA ================ Certificate 0 ================ Serial Number: abcdef1234567890abcd Issuer: CN=CANAME, DC=contoso, DC=com NotBefore: 1/20/2011 10:24 AM NotAfter: 1/21/2013 9:37 AM Subject: CN=krauser, CN=Users, DC=contoso, DC=com Non-root Certificate Template: KeyRecoveryAgent, Key Recovery Agent Cert Hash(sha1): aa bb cc dd ee ff 11 22 33 44 55 66 77 88 99 aa bb cc dd ee No key provider information Encryption test passed CertUtil: -store command completed successfully." However, i am unable to create the encrypted blob to be used with "RecoverKey" parameter as the "GetKey" command fails with the above error...Furthermore, in the GUI for Certificate Services, under Proerties of the CA, under the TAB "Recovery Agents", i can see the KRA certificate and the status is "Valid"....Nothing on the web btw sheds any light except for the technet article which points to the KRA cert not being available in the KRA Store on the CA...(which it is.) Any ideas? TIA!!

The getkey operations requires that the user have Issue and Manage Certificates permissions at the CA. This is the first thing that I would check. This step is prior to the recoverkey operation, so it is not tied in any way to whether you have the KRA certificate properly loaded in your profile (it does appear to be OK) I would manually check from the GUI that the certificate is in the CA database that you are connecting to and that the key is archived (turn on the Archived Key column in the view options) Brian

Interesting....I have issue and mange cert rights...not a problem Wheni added the "Archived Key" column, not a single one of my certs is archived or at least nothing shows up in this column... Kind of makes sense why "Cannot find object" if it doesnt exist... Let me find a cert (EFS most likely) that is archived and i will test recovery on that.. Posting results shortly Good help so far!

Issue was not really an issue at all..Turned out the cert i was trying to get the key for DID NOT have the key archived...Was a digital signature template which specified NOT to archive the key...when i tried the above process on an EFS cert (Encryption) all is well... Doh! ;) Thanks!