Hi, on a Windows Server 2008 R2 I want to check, if the private key for a certificate is renewed. How can I see or check, if the private key is the old one or a new private key ? Is this possible ? Thanks for your help. Faithfully, Ewoki

the only way is to check Subject Key Identifier extension in both certificates. If certificate was renewed with existing key pair, SKI will be identical. Otherwise new key pair was used for renewal.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki

Hi, thanks for the answer. I have done the following steps: - Verify that the certificate has a private key (seen in certificates-mmc). - export the certificate with the private key into a pfx-file and delete the private key after export. - Verify that the certificate has no private key (seen in certificates-mmc). - Using commandline: certutil -repairstore my "[serialnr. of the exported cert]" The certutil-command have the following end of the output: [...] Private key is NOT exportable ERROR: Could not verify certificate public key against private key CertUtil: -repairstore command completed successfully. - Now, the certificate has a valid private key again (seen in certificates-mmc). The Subject Key Identifier of the certificate is ever the same :-( and not changed. Now my question is, if the private key was restored although I have deleted the private key before that ? If yes, how can I prevent the restore of the old "original" private key, so that I can recover the old private key only from the pfx-file ? Thanks for your support. Faithfully, Ewoki

Here is a response from Windows PKI team (I really didn't have an answer): The certmgr U/I says the private key is available when the cert has a property attached (CERT_KEY_PROV_INFO_PROP_ID) that holds the key container name and provider name. It does not verify that the key actually exists. If the key is deleted and the cert is not, then the CERT_KEY_PROV_INFO_PROP_ID property will remain attached to the cert and reference a key that doesn’t exist. This is expected when the key is deleted and the cert is not deleted. My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki

Thanks for the answers. This ware very helpful. Really a good job :-). Have a good time. Faithfully, Ewoki