7

I just reinstalled my Windows OS 7 and forgot to backup my Email Certificate for Outlook 2010 beforehand. Now I can't read any encrypted emails. When I try, it says "Cannot open this item. Your Digital ID name cannot be found by the underlying security system."

The certificate was issued by our internal Windows Certificate Authority and I can see it still in there but I don't suppose there is any way to import it back into my computer or any other way to read those encrypted emails?

The certificate is also in the GAL if that makes any difference but I just tried to export it and no PFX option :(

MadHatter
  • 78,442
  • 20
  • 178
  • 229
Christian
  • 746
  • 3
  • 13
  • 30
  • 2
    Lesson: certificates should not be used if you don't create a backup of them that includes the private key and password, and also a reminder to renew the certificate before it expires. – Greg Askew Jul 30 '12 at 14:50
  • Haha Thanks Greg. Not helpful but funny :) – Christian Jul 30 '12 at 14:51
  • Don't suppose that you have access to a time machine... – gWaldo Jul 31 '12 at 14:18
  • IT WORKED!!! Ar, but now my messages are back to front and you have no idea what I'm on about. You will have to read the next answer before this one. – Christian Aug 01 '12 at 10:34
  • The R&D team tell me they will have a test machine next week.. If it works, I will go back in time and write in here to let you know. – Christian Aug 01 '12 at 10:35

3 Answers3

5

Encrypted mails are encrypted - if you have lost the private key and it is unrecoverable by other means, you would not have access to these messages in the foreseeable future.

To understand why this is so, you need to understand how certificates work: the public/private key pair is not generated by the CA but by the client, only the public key along with the identity information gets signed by the CA, so the CA never gets to see the private key. This is an integral part of the certificate's security - a compromised CA should not give the attacker the ability to decrypt all data encrypted in the past.

That said, if you are running an internal enterprise CA in your AD domain, chances are that your domain administrator has configured automatic key archival in the CA store. If this is the case, the CA administrator is able to recover the private key from the store.

Also, the certificate store including the keys is stored within the user's profile. So if you were using roaming profiles, this information has been copied to the server-located profile directory and likely can be recovered.

the-wabbit
  • 40,319
  • 13
  • 105
  • 169
  • "chances are that your domain administrator has configured automatic key archival"... thats me and no i didnt :) nor roaming profiles. nice to know information though. thank you. – Christian Jul 30 '12 at 23:51
  • @Christian in this case all you can do is try using data recovery services to restore the data from your old user's profile. This is going to cost you though and chances for it to succeed are incalculable. – the-wabbit Jul 31 '12 at 08:15
  • Reinstalled onto the same hard drive.... :| – Christian Aug 01 '12 at 10:30
  • @Christian this is why recovery services would be needed - even a reinstall only will overwrite data blocks when it needs them for new data. As the user's profile has been updated long after your initial installation, chances are that it was occupying data blocks not yet overwritten by your fresh install. – the-wabbit Aug 01 '12 at 14:04
0

If you have access to a machine that has the certificate + private key, but it is marked as non-exportable, it can be exported with JailBreak. That's about the best option, and you still need the private key password to use it.

http://www.isecpartners.com/application-security-tools/jailbreak.html

Greg Askew
  • 34,339
  • 3
  • 52
  • 81
-1

You will need to create a new key-pair and publish.

Then back them up.

gWaldo
  • 11,887
  • 8
  • 41
  • 68