Key Archival: Recovery

EJBCA allows the CA Administrator to recover the private key, given that key recovery was enabled for the end entity profile when the certificate was created. For information on enabling key recovery for end entity profiles, see Part 3a: EJBCA Configuration.

To recover the private key, do the following:

Open the Microsoft Management Console (mmc.exe).
Click File, then click Add/Remove Snap-in.
Choose Certificates and then click Add, then click OK.
Expand Certificates - Current User, then expand Personal, and click Certificates.
Double-click the certificate for which the private key needs to be recovered, to open the certificate information window.
Open the Details tab.
Select the Serial number row to display the serial number in the text area below the list.
Copy the HEX formatted serial number.
In EJBCA, click RA Web.
Hold the pointer over Search, and then click Certificates to open search certificate page.
On the Search for Certificates page, paste the serial number in the search text field.
Remove spaces between the letters in the serial number to display a row of information about the certificate.
Click View at the end of the row to view the certificate details.
Click Recover Key and enter the following:
- Enter Enrollment Code (New).
- Enter Confirm Enrollment Code.
- Copy End Entity Identifier (username).
Click Confirm request to display a confirmation message at the top of the page saying Key recovery performed successfully. Certificate ready for enrollment.
Click Use Username under Enroll.
On the Enroll with Enrollment code page:
- Paste the Username.
- Enter an Enrollment code.
Click Check.
Click Download PKCS#12 to download the .p12 file containing the private key.
Transfer the file to the target computer.
Right-click the file, select Install PFX and follow the on-screen instructions.

You have now completed the steps to recover the private key.