The archive flagged is used to make certificates invisible to applications without deleting them from a user or machine store. E.g. auto-enrollment sets this flag to an certificate if a new certificate has been enrolled.
In this post I want show you how to set and unset this flag.
First of all we want see if we have a certificate in the certificate store with the archive flag set. I work on my machine as local administrator and so should you.
1. Open for that a MMC and add the Certificate snap-in for either your user or the local machine, or both if you like.
Then enable show archived certificates. That is like an advanced view setting that you might know from Active Directory Users and Computers.
Note: You have to enable the Archived certificate view for each snap-in separately. So in the picture above I made that for Certificates - Current user and for Certificates (Local Computer)
Now you see archived certificates in the MMC
Note the letter A at the end. That is the sign that this certificate is flagged archived.
2. You can do the same by running a certutil command. The MMC does not give you an option to set the flag from there. So you have to use certutil to do that, see below.
Use certutil to see all certificates
certutil.exe -store my
will show you all certificates in the local machine store
================ Certificate 4 ================
Serial Number: 3dc344f3e2cf6dab48d7085ecd1bb849
NotBefore: 6/13/2012 2:17 PM
NotAfter: 6/12/2022 5:00 PM
Signature matches Public Key
Root Certificate: Subject matches Issuer
Cert Hash(sha1): 80 3e 7f 62 5a be 5b 14 52 e3 65 dd 72 4d 59 98 cb 8a 30 d3
Key Container = IIS Express Development Certificate Container
Unique container name: fad662b360941f26a1193357aab3c12d_42f2ea6e-c662-4d0b-8b56-2f094a3a3dc9
Provider = Microsoft RSA SChannel Cryptographic Provider
Encryption test passed
So that certificate is number 4 in the certificate store. Lets write this down for later.
3. We will use certutil for un-archiving the certificate (and we can use it for archiving as well).
Here the file to set the archive flag.
- Create a new file with notepad and call it archive_set.inf
- paste these two lines to the archive_set.inf file
19 = Empty ;
- save the file
Here the file to remove the archive flag
- Create a new file with notepad and call it archive_remove.inf
- paste these 2 lines to the archive_remove.inf file
19 = ;
- save the file
4. Now you can toggle the archive flag as you desire:
Now you need the number you have taken down from step 2 or use the certificate serial number instead.
certutil.exe -repairstore my 4 archive_set.inf
certutil.exe -repairstore my 4 archive_remove.inf
See also http://blogs.technet.com/b/pki/archive/2007/02/22/how-to-manually-set-the-archive-flag-for-certifictes.aspx