When a private key must be recovered from a CA, the certificate manager and key recovery agent must work together to extract the encrypted BLOB from the CA database, decrypt the private key from the encrypted BLOB, and distribute the PKCS #12 file to the original user.
This process can be performed at a command prompt by running the certutil.exe utility.
The Key Recovery Tool used in Windows Server 2003 is no longer available. The tool can still be used to recover certificates archived at Windows Server 2003 enterprise CAs but is not supported for Windows Server 2008 CAs.
The certutil.exe ...