CODEWITHSUNDEEP
powershellssl-certificate
Kode
Kode

Reputation: 3215

Export-PfxCertificate : Cannot export non-exportable private key

I am attempting to export my self-signed certificate so I can import it to other Servers in my development environment (will use "real" certs for Production), but it throws the following error:

Export-PfxCertificate : Cannot export non-exportable private key

The requirements are that I need to export the cert and "allow the private key to be exported", but am curious what I am missing. My PowerShell is as follows:

$pwd = ConvertTo-SecureString -String ‘1234’ -Force -AsPlainText
$path = 'cert:\localMachine\my\' + '1E7439053EE57AEE6EA0E1F3CDF5DB4234B6731E' 
Export-PfxCertificate -cert $path -FilePath c:\Certificates\cert.pfx -Password $pwd

Upvotes: 16

Views: 63947

Answers (7)

durette
durette

Reputation: 424

Even if the certificate is marked as non-exportable, certificates can still be exported from the registry on the source server and re-imported into the registry on the target server.

First you'll need the certificate's thumbprint. (The question assumes you have this.)

#PowerShell5
$cert = Get-ChildItem -Path Cert:\ -Recurse | Where-Object Subject -Like '*example.com*'
$cert | Select-Object Subject, Thumbprint

Let's say the thumbprint is 1E7439053EE57AEE6EA0E1F3CDF5DB4234B6731E. Now export this registry key:

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\My\Certificates\1E7439053EE57AEE6EA0E1F3CDF5DB4234B6731E

and import it into your target server.

Source: https://www.yuenx.com/2022/certificate-security-export-cert-with-non-exportable-private-key-marked-as-not-exportable-windows-pki/

Upvotes: 2

Barry MSIH
Barry MSIH

Reputation: 3787

Use Import-PfxCertificate with parameter -Exportable

Get-ChildItem -Path c:\mypfx\my.pfx | Import-PfxCertificate -CertStoreLocation Cert:\CurrentUser\My -Exportable

Upvotes: 1

Level 42
Level 42

Reputation: 422

I know this is an older question, but I wanted to post my solution as I was having this same problem. I too was getting the dreaded Export-PfxCertificate : Cannot export non-exportable private key error while trying to export my PFX file. The problem started after loading my code-signing certificate on my Windows machine. When I went to export it, the export to PFX option was grayed out without further explanation. I then followed many of the instructions listed here, including Powershell Export-PfxCertificate. None of these worked. I finally went back to my Certificate provider GoDaddy and they informed me that in my Original Certificate Signing Request (CSR) I did not check the box Make Private Key Exportable. GoDaddy graciously, and without cost, allowed me to submit a new CSR (with that option checked,) to 'Rekey' my existing certificate. Within a couple of hours, my new certificate was issued. I installed it on my machine and was able to export directly from Windows MMC (no need to PowerShell.) I've included this screenshot of the box that must be checked when creating your CSR (may look different on different platforms.)

enter image description here

Upvotes: 8

dzon
dzon

Reputation: 109

Maybe too late, but have you tried to run PowerShell script as administrator? (If you can export private key from mmc console, Export-PfxCertificate will export it also.)

Upvotes: 10

Manuel Spindler
Manuel Spindler

Reputation: 17

check my Code below. 

#Ask for the Name 
$name = Read-Host "Certificate Name "

# Check if the Path exists
$Path = "D:\Provisioning\certmgmt\$name.txt"
$TestPath = Test-Path $Path
if ($TestPath -ne "true")
{
    Write-Host "The Path $Path do not exist" -ForegroundColor Red
    Pause
    exit
}

# Import the certificate
$result = Import-Certificate -FilePath $Path -CertStoreLocation "Cert:\LocalMachine\My" 

# Get the serialnumber of the certificate
$Thumbprint = $result.Thumbprint

# Set the FriendlyName
(Get-ChildItem -Path Cert:\LocalMachine\My\$Thumbprint).FriendlyName = $name  

# Export the Certificate
$answer = Read-Host "Export Certificate? (Y/N)"

if ($answer -eq "N" -or $answer -eq "n")
{
    exit
}


    try
    {
       $mypwd = ConvertTo-SecureString -String "password" -Force -AsPlainText
       Get-ChildItem -Path cert:\localMachine\my\$Thumbprint | Export-PfxCertificate -FilePath C:\$name.pfx -Password $mypwd
    }
    catch
    {
      Write-Host $Error -ForegroundColor Red
      pause
      exit
    }

    Write-Host "Export the Certifikate was successful" -ForegroundColor Green

Upvotes: 0

Kriss Milne
Kriss Milne

Reputation: 529

The problem isn't with the powershell code. The problem is with the certificate.

When a certificate is first imported or created, the private key must be marked as exportable in order for you to be able to export the private key.

The error message you have received indicates that the private key is not exportable on the certificate you are trying to use.

Example Issue

Upvotes: 25

Kory Gill
Kory Gill

Reputation: 7163

I did a quick search, and you can use certutil or better is probably the solution from http://community.idera.com/powershell/powertips/b/tips/posts/exporting-certificate-with-private-key.

Relevant code from that post has been pasted below. 100% attribution to the author of that page.

dir cert:\currentuser\my | 
Where-Object { $_.hasPrivateKey } | 
Foreach-Object { [system.IO.file]::WriteAllBytes(
"$home\$($_.thumbprint).pfx", 
($_.Export('PFX', 'secret')) ) }

Upvotes: 2

Related Questions