38

I'm in the process of trying to change the KeySpec property of a code signing certificate from Comodo by following this guide. The guide mentions importing your certificate file into MMC and then exporting it again later. However, I don't seem to have the option to export as a PFX file. I already have a PFX file; I can import it successfully, but when I go to export the option is greyed out / disabled.

pfx disabled

What do I need to do to enable this export option?

soapergem
  • 1,586
  • 10
  • 26
  • 43

4 Answers4

47

The Certificates snap-in really doesn't like to export PFX certificates, but PowerShell is happy to. You can use the Export-PfxCertificate cmdlet.

  1. Go to the certificates pseudo-drive by typing cd cert:\ at the PowerShell prompt.
  2. Type cd CurrentUser or cd LocalMachine as appropriate for where the certificate is. You may need to launch PowerShell as admin to export a machine certificate.
  3. cd into the appropriate store (a dir may help). The Personal store in MMC is called My here.
  4. Use dir to identify which ID corresponds to the certificate you want.

  5. Type this command to export it as a PFX with a password:

    Export-PfxCertificate -Cert .\LONGSTRINGOFHEX -FilePath 'C:\path\to\outfile.pfx' -Password (ConvertTo-SecureString -String 'password' -AsPlainText -Force)

    LONGSTRINGOFHEX should be replaced with your certificate's ID. Fortunately, you can use tab completion on that.

Once that command executes, you have a PFX certificate protected with the password you supplied. PowerShell refuses to export the certificate's private key without a password, and the password can't be blank. Nevertheless, your PFX is out.

Dmitry Brant
  • 279
  • 3
  • 11
Ben N
  • 40,045
  • 17
  • 140
  • 181
  • Please forgive such an ignorant question, but how do I install the cmdlet? Currently when I type `cert:` in PS I get "The term 'cert:' is not recognized as the name of a cmdlet, function, script file, or operable program." Windows 10 of course. – soapergem Jul 11 '16 at 19:55
  • @SoaperGEM My apologies, it should be ```cd cert:\``` instead. – Ben N Jul 11 '16 at 20:04
  • 1
    @SoaperGEM This cmdlet is available in Windows 8, 8.1, 10, Server 2012 and Server 2012 R2. Judging by your screenshot, you are set. Also, when importing your certificate, look for a checkbox that allows you to mark the private key as exportable. That should give you the ability to export it via MMC. –  Jul 13 '16 at 08:00
  • 10
    I am getting error - Cannot export non-exportable private key. Can anyone help identify the issue. – rd10 Dec 03 '18 at 15:33
  • 3
    @RajaDorji If a private key was marked as non-exportable, the system generally refuses to export. Tools like Mimikatz ([mentioned here](https://stackoverflow.com/q/3914882/2825369)) can get around this through unofficial methods. – Ben N Dec 04 '18 at 03:42
  • @BenN thank you for your reply. I raised csr request on windows server with keytool and am unaware of any step of marking key as exportable. Maybe we are not installing the certificates correctly. I added a question https://serverfault.com/questions/943496/how-to-install-cer-and-p7b-certificates-to-use-in-iis Please take a look, appreciate your time. – rd10 Dec 09 '18 at 06:43
  • Where do you obtain the certificate's ID? – MC9000 Jul 30 '19 at 21:14
  • @MC9000 It's the certificate's thumbprint, which is one of the entries in the list visible by opening `certmgr.msc`, double-clicking the certificate, and going to the Details tab. – Ben N Jul 30 '19 at 23:24
  • Thanks! Also trying to fix Sectigo madness (since Comodo changed their name, everything went to hell with intermediate certificates) - that'll be another post – MC9000 Jul 31 '19 at 01:10
  • This is case-sensitive as I've discovered (the Id/thumbprint must be in upper case). Got the dreaded "Cannot export non-exportable private key." message. Dang! – MC9000 Jul 31 '19 at 02:07
  • This did not work for me unfortunately - and the issue I had was that I was generating the CSR from myasp.net and they don't give any option in the CSR generation about the exporting of the key. But when trying to install the certificate, it would not accept the .cer or .crt file generated by the SSL provider. Ultimately, I generated a CSR from my local IIS, installed the SSL back on the same and then exported and installed that .pfx on myASP.net and that worked. Hope this helps someone. IF YOUR SSL IS MARKED NOT TO ALLOW EXPORT, THIS COMMAND WILL NOT WORK. – Moiz Tankiwala Apr 28 '21 at 11:10
1

My problem was that I had created the CSR file on one machine and then tried to create the pfx file on another (Windows 10 had done an update overnight and locked me out of the first machine). Both the CSR and the pfx file need to be created on the same machine.

Rachel Edge
  • 23
  • 5
0

If you import a cert into the WebHosting store, you can't export the private key. Move it to Personal store, and you will be able to export as PFX. I was able to do this in Windows 2012R2 without having to go to the command line and use Export-PfxCertificate (which is a pain as I couldn't figure out the certificate's ID to save my life).

MC9000
  • 145
  • 1
  • 1
  • 7
  • Okay, I'm wrong. Just got lucky. I had to try this task again (reissued a cert), and this method does not work anymore :( – MC9000 Jul 31 '19 at 01:49
  • You can find the Certificate's ID by either going to **IIS > Machine > Server Certificates** or by `cd cert:\LocalMachine\My` then 'dir' – Devin Gleason Lambert Oct 28 '19 at 13:06
-3

Export the .P7B file once. And then go back and try exporting the certificate again. The .PFX export get enabled the next time.

Atul
  • 1