I will show you how to recover the certificate using recovery agents. But make sure you have enabled certificate archiving otherwise you are not able to recover the certificates. You can learn more about Key Archiving in Certificate services.
You can convert a certificate into an importable form using recovery agent and then you can import that certificate into user machine where you loss certificate. First we will see how we can convert a certificate into .PFX file which can be imported to any user.
Create a .PFX certificate using recovery agent:
Login into user machine with recovery agent user (how to create recovery agent), open MMC and add the certificate snap-in from add/remove snap-in. Open the certificate’s properties by double clicking on certificate which you want to export.
Click on copy to file, a wizard will start click on next and select the option “yes, export the private key”.
And export the certificate as personal information exchange (PFX). Set the password and select the location where you want to save this file. I have define the path for this file as \CAC$hr-cert.pfx. where CA is name of certificate server.
Now login into CA server with recovery agent and go to certificate MMC and on personal folder right click and import the certificate here that you have exported in above step from \CAC$hr-cert.pfx.
Provide password and also select the exportable key option.
Now open the administrative command prompt and run the following command which will create a BLOB (Create Binary large object) file for user which loss the certificate. In my case this user is [email protected].
and then run the following command which will create a PFX file from this BLOB (Create Binary large object) file.
It will ask you for password, provide the password and PFX file will be created at \CAC$ hr-certificate.pfx which you can import.
Import certificate with PFX FILE:
Now login into client system with HR user as I have export the key for this user and simply double click on hr-certificate.pfx. After completion of wizard certificate will successfully added to user, you can verify this from certificate MMC console.