Side note for the future - it is useful to backup your personal certificates separately from your normal data backups. They are tiny - a small USB flash drive is plenty. Since it wouldn't get used much it is best to keep it in a static bag and locked up somehow so nobody steals it - if you have a small firesafe for your valuables keep it there.
Open Certificates MMC (certmgr.msc) and find your cert - export - include private key. This will back it up to a .pfx file that you can store on your thumbdrive.
Main Topics
Browse All Topics
by: ParanormasticPosted on 2009-09-01 at 09:59:29ID: 25233561
The private keys are stored here:
%userprofile%\Application Data\Microsoft\Crypto\RSA\
There should be a bunch of files there that are random numbers and letters with no file extension.
Keep in mind 'all users' folder as well as multiple usernames, system, etc. %Userprofile% in XP is usually c:\documents and settings\Username\
You may need to take ownership of the folder and files and grant yourself permissions.
The cert itself - if you have copies in an email or something would be the easiest to recover that part, but you would need the private key to do anything with it above. Otherwise you can look here:
%userprofile%\Application Data\Microsoft\SystemCerti
Note that some certificate types are tied to the user profile, such as EFS. Some are more portable, like email. For EFS, you will need to get a recovery tool like aefsdr. If you are able to recover the private key then that should work for you, if you can't then there's nothing you can do unless you had a data recovery agent (DRA) configured, which most folks don't unless you did it manually. XP pre-SP1 would have created it by default under the default admin account, but not after service packing unless you specified to create it. If this applies and you need more info on how to use it, just ask.
You don't need to boot to the other drive, but you will need to be able to access it - you can either slave it to your new system (if compatible) or get a USB hard drive enclosure that you can put the old drive into and then use a USB cable from the enclosure to your system - these are pretty cheap (20-30 USD or so) if you need one.
You can also try searching the drive for .pfx files if you had exported the cert with the private key.
After these are in place on the Vista box, you can run:
certutil -user -repairstore My %certid%
* My = the name of the store - if was in root store, replace with Root
* If was a computer cert instead of user cert, simply remove the -user context
* %certid% is the serial number or thumbprint of the cert. Use the private key filename - this is the thumbprint. Bear with my memory on this I'm a little short on time to confirm before posting, I forget offhand if you should use the whole string of numbers uninterrupted (0132abc456abc798def012) or with spaces after every two numbers (01 32 ab c4 56 ab c7 98 de f0 12). It should be one or the other.
Hopefully this is enough to get you going, if not just post back.