Monday, November 17, 2014

How to archive and un-archive certificates

You are might aware that certificates can be flagged archived on a Windows machine. That has nothing (as in nada) to do with key archiving what is performed if configured on the Certification Authority.
The archive flagged is used to make certificates invisible to applications without deleting them from a user or machine store. E.g. auto-enrollment sets this flag to an certificate if a new certificate has been enrolled.
In this post I want show you how to set and unset this flag.

First of all we want see if we have a certificate in the certificate store with the archive flag set. I work on my machine as local administrator and so should you.

1. Open for that a MMC and add the Certificate snap-in for either your user or the local machine, or both if you like.

Then enable show archived certificates. That is like an advanced view setting that you might know from Active Directory Users and Computers.


Note: You have to enable the Archived certificate view for each snap-in separately. So in the picture above I made that for Certificates - Current user and for Certificates (Local Computer)


Now you see archived certificates in the MMC



Note the letter A at the end. That is the sign that this certificate is flagged archived.


2. You can do the same by running a certutil command. The MMC does not give you an option to set the flag from there. So you have to use certutil to do that, see below.


Use certutil to see all certificates

certutil.exe -store my

will show you all certificates in the local machine store

...
================ Certificate 4 ================
Archived!
Serial Number: 3dc344f3e2cf6dab48d7085ecd1bb849
Issuer: CN=localhost
 NotBefore: 6/13/2012 2:17 PM
 NotAfter: 6/12/2022 5:00 PM
Subject: CN=localhost
Signature matches Public Key
Root Certificate: Subject matches Issuer
Template:
Cert Hash(sha1): 80 3e 7f 62 5a be 5b 14 52 e3 65 dd 72 4d 59 98 cb 8a 30 d3
  Key Container = IIS Express Development Certificate Container
  Unique container name: fad662b360941f26a1193357aab3c12d_42f2ea6e-c662-4d0b-8b56-2f094a3a3dc9
  Provider = Microsoft RSA SChannel Cryptographic Provider
Encryption test passed
....


So that certificate is number 4 in the certificate store. Lets write this down for later.


3. We will use certutil for un-archiving the certificate (and we can use it for archiving as well).

Here the file to set the archive flag.
- Create a new file with notepad and call it archive_set.inf
- paste these two lines to the archive_set.inf file

[Properties]
19 = Empty ;

- save the file





Here the file to remove the archive flag
- Create a new file with notepad and call it archive_remove.inf
- paste these 2 lines to the archive_remove.inf file

[Properties]
19 =          ;

- save the file




4. Now you can toggle the archive flag as you desire:

Now you need the number you have taken down from step 2 or use the certificate serial number instead.


flag on

certutil.exe -repairstore my 4 archive_set.inf


flag off

certutil.exe -repairstore my 4 archive_remove.inf





See also http://blogs.technet.com/b/pki/archive/2007/02/22/how-to-manually-set-the-archive-flag-for-certifictes.aspx