Export-PfxCertificate : Cannot export non-exportable private key

Question

I am attempting to export my self-signed certificate so I can import it to other Servers in my development environment (will use "real" certs for Production), but it throws the following error:

Export-PfxCertificate : Cannot export non-exportable private key

The requirements are that I need to export the cert and "allow the private key to be exported", but am curious what I am missing. My PowerShell is as follows:

$pwd = ConvertTo-SecureString -String ‘1234’ -Force -AsPlainText
$path = 'cert:\localMachine\my\' + '1E7439053EE57AEE6EA0E1F3CDF5DB4234B6731E' 
Export-PfxCertificate -cert $path -FilePath c:\Certificates\cert.pfx -Password $pwd

Chek this old SO post: https://stackoverflow.com/questions/3914882/how-to-export-non-exportable-private-key-from-store Not sure there's an out-of-box way to accomplish with powershell, but maybe coupled with mimikatz or jailbrea you could do this in bulk in a loop — trebleCode, Feb 21 '18 at 21:37
I have a script I wrote for exporting certs in batch... Not sure if it'll help but be worth a shot https://github.com/crshnbrn66/certlib/blob/master/certLib.ps1 — Thom Schumacher, Feb 28 '18 at 15:02

score 23 · Accepted Answer · answered Feb 27 '18 at 07:49

23

The problem isn't with the powershell code. The problem is with the certificate.

When a certificate is first imported or created, the private key must be marked as exportable in order for you to be able to export the private key.

The error message you have received indicates that the private key is not exportable on the certificate you are trying to use.

Example Issue

answered Feb 27 '18 at 07:49

Kriss Milne

509
2
4

8

The Example link is broken. – Roland Feb 02 '21 at 11:19
@Roland https://mskb.pkisolutions.com/kb/232154 – olfek Jun 09 '23 at 20:39

score 8 · Answer 2 · answered Apr 22 '19 at 17:02

8

Maybe too late, but have you tried to run PowerShell script as administrator? (If you can export private key from mmc console, Export-PfxCertificate will export it also.)

answered Apr 22 '19 at 17:02

dzon

89
1
2

You don't need to be administrator to export your keys, but the keys need to be available to export them. – RalfFriedl Apr 22 '19 at 17:08
3

If I start script as user, I can only export the public key from \LocalMachine\My. Also, Export-PfxCertificate returns error "Cannot export non-exportable private key". But, if I start PS from elevated Command Prompt, there is no error and the PFX file contains pub and priv key. – dzon Apr 22 '19 at 22:19
If you can export the certificate manually in `certlm.msc`, because it is marked as exportable, but you still get this error in PowerShell, then this is the solution. For example, you cannot export IIS certificates if you are non-elevated. – jdm Mar 31 '20 at 12:08

score 7 · Answer 3 · answered Dec 30 '19 at 14:24

I know this is an older question, but I wanted to post my solution as I was having this same problem. I too was getting the dreaded Export-PfxCertificate : Cannot export non-exportable private key error while trying to export my PFX file. The problem started after loading my code-signing certificate on my Windows machine. When I went to export it, the export to PFX option was grayed out without further explanation. I then followed many of the instructions listed here, including Powershell Export-PfxCertificate. None of these worked. I finally went back to my Certificate provider GoDaddy and they informed me that in my Original Certificate Signing Request (CSR) I did not check the box Make Private Key Exportable. GoDaddy graciously, and without cost, allowed me to submit a new CSR (with that option checked,) to 'Rekey' my existing certificate. Within a couple of hours, my new certificate was issued. I installed it on my machine and was able to export directly from Windows MMC (no need to PowerShell.) I've included this screenshot of the box that must be checked when creating your CSR (may look different on different platforms.)

score 2 · Answer 4 · answered Feb 27 '18 at 04:37

I did a quick search, and you can use certutil or better is probably the solution from http://community.idera.com/powershell/powertips/b/tips/posts/exporting-certificate-with-private-key.

Relevant code from that post has been pasted below. 100% attribution to the author of that page.

dir cert:\currentuser\my | 
Where-Object { $_.hasPrivateKey } | 
Foreach-Object { [system.IO.file]::WriteAllBytes(
"$home\$($_.thumbprint).pfx", 
($_.Export('PFX', 'secret')) ) }

score 1 · Answer 5 · answered Aug 28 '21 at 00:54

1

Use Import-PfxCertificate with parameter -Exportable

Get-ChildItem -Path c:\mypfx\my.pfx | Import-PfxCertificate -CertStoreLocation Cert:\CurrentUser\My -Exportable

answered Aug 28 '21 at 00:54

Barry MSIH

3,525
5
32
53

score 0 · Answer 6 · answered Mar 26 '18 at 13:42

check my Code below.

#Ask for the Name 
$name = Read-Host "Certificate Name "

# Check if the Path exists
$Path = "D:\Provisioning\certmgmt\$name.txt"
$TestPath = Test-Path $Path
if ($TestPath -ne "true")
{
    Write-Host "The Path $Path do not exist" -ForegroundColor Red
    Pause
    exit
}

# Import the certificate
$result = Import-Certificate -FilePath $Path -CertStoreLocation "Cert:\LocalMachine\My" 

# Get the serialnumber of the certificate
$Thumbprint = $result.Thumbprint

# Set the FriendlyName
(Get-ChildItem -Path Cert:\LocalMachine\My\$Thumbprint).FriendlyName = $name  

# Export the Certificate
$answer = Read-Host "Export Certificate? (Y/N)"

if ($answer -eq "N" -or $answer -eq "n")
{
    exit
}


    try
    {
       $mypwd = ConvertTo-SecureString -String "password" -Force -AsPlainText
       Get-ChildItem -Path cert:\localMachine\my\$Thumbprint | Export-PfxCertificate -FilePath C:\$name.pfx -Password $mypwd
    }
    catch
    {
      Write-Host $Error -ForegroundColor Red
      pause
      exit
    }

    Write-Host "Export the Certifikate was successful" -ForegroundColor Green

score 0 · Answer 7 · answered Jun 29 '23 at 23:17

Even if the certificate is marked as non-exportable, certificates can still be exported from the registry on the source server and re-imported into the registry on the target server.

First you'll need the certificate's thumbprint. (The question assumes you have this.)

#PowerShell5
$cert = Get-ChildItem -Path Cert:\ -Recurse | Where-Object Subject -Like '*example.com*'
$cert | Select-Object Subject, Thumbprint

Let's say the thumbprint is 1E7439053EE57AEE6EA0E1F3CDF5DB4234B6731E. Now export this registry key:

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\My\Certificates\1E7439053EE57AEE6EA0E1F3CDF5DB4234B6731E

and import it into your target server.

Source: https://www.yuenx.com/2022/certificate-security-export-cert-with-non-exportable-private-key-marked-as-not-exportable-windows-pki/

Export-PfxCertificate : Cannot export non-exportable private key

7 Answers7

Linked