Once the key recovery agent recovers the private key, the private key must be imported back into the original user's profile at his or her computer. The process is independent of which tool—certutil or the Key Recovery Tool—is used to retrieve the private key from the CA database.
To import the private key, the key recovery agent must provide the user with the PKCS #12 file and the password required to import the file. To ensure that an attacker cannot easily gain access to both the PKCS #12 file and its associated password, these two pieces of information should be transmitted to the original user separately. For example, the key recovery agent can send the PKCS #12 file to the user by e-mail and send the associated password to the user's voice mailbox.
Once the user receives both the PKCS #12 and the associated password, the following process imports the private key into the user's profile:
1. Ensure that you are logged on as the user associated with the private key is logged on at their computer.
2. Double-click the provided PKCS #12 file.
3. On the Certificate Import Wizard page, click Next.
4. On the File to Import page, click Next.
5. On the Password page, in the Password box, type the password provided by the key recovery agent.
6. Click Mark This Key as Exportable. This allows you to back up or transport your keys at a later time. Then click Next.
7. On the Certificate Store page, click Automatically Select the Certificate Store Based on the Type of Certificate and click Next.
8. On the Completing the Certificate Import Wizard page, click Finish.
9. In the Certificate Import Wizard message box, click OK.
Was this article helpful?