0

Refer to Get-Certificate
I tried to request a certificate using PowerShell, it worked but the certificate is not exportable, here is my command:

Get-Certificate -Template "MyComputer" -SubjectName "CN=corey.com" -CertStoreLocation cert:\LocalMachine\My

When I try to export the certificate, it failed.

Export-PfxCertificate -Cert cert:\LocalMachine\My\$Thumbprint -FilePath C:\corey.com.pfx -Password $mypwd

The error message:

Export-PfxCertificate: Cannot export non-exportable private key.

I can't find any parameter like Exportable or property for me to use with Get-Certificate command. Is there any way to request/make a certificate exportable by using PowerShell?

Corey
  • 1,217
  • 3
  • 22
  • 39
  • See https://stackoverflow.com/questions/48915305/export-pfxcertificate-cannot-export-non-exportable-private-key – Scepticalist Jul 28 '20 at 08:26
  • @Scepticalist thanks for sharing but my critical problem is how can I make the certificate exportable while "requesting" by using PowerShell, any idea? – Corey Jul 28 '20 at 08:38
  • 2
    @Corey When you install the certificate it must be marked as exportable, if this isn't done its a one way process. – David Martin Jul 28 '20 at 08:46
  • 1
    I think this will give you a child certificate from the Enrollment Server which basically means that you need to export the Pfx from the Enrollment Server itself. Another option is to create a self signed Certificate using New-SelfSignedCertificate then you will be able to export the pfx from the server you are at. – Daniel Björk Jul 28 '20 at 09:19

1 Answers1

0

Cause there is no parameter to make it exportable when using Get-Certificate, so I use certreq as a replacement to achieve my goal and post here hoping that could help someone else.

Firstly, prepare an information file, and set Exportable as TRUE.

$file = @'
[NewRequest]
Subject = "CN=corey.com"
KeyLength = 2048
Exportable = TRUE
[RequestAttributes]
CertificateTemplate = "MyTemplate"
'@

Set-Content temp.inf $file

Secondly, type the following commands.

# create a new request from an .inf file
certreq -new temp.inf temp.req

# submit a request to the certificate authority
certreq -submit -config CAHostName\CAName temp.req temp.cer

# accept and install a response to a certificate request
certreq -accept temp.cer

Finally, export the certificate and assign a password for it.

$mypwd = ConvertTo-SecureString -String $password -Force -AsPlainText
Export-PfxCertificate -Cert cert:\LocalMachine\My\$Thumbprint -FilePath C:\corey.com.pfx -Password $mypwd

For more details, please see certreq - Microsoft Docs

Corey
  • 1,217
  • 3
  • 22
  • 39