Menu
I am attempting to export my self-signed certificate so I can import it to other Servers in my development environment (will use "real" certs for Production), but it throws the following error:
Export-PfxCertificate : Cannot export non-exportable private key
The requirements are that I need to export the cert and "allow the private key to be exported", but am curious what I am missing. My PowerShell is as follows:
$pwd = ConvertTo-SecureString -String ‘1234’ -Force -AsPlainText
$path = 'cert:\localMachine\my\' + '1E7439053EE57AEE6EA0E1F3CDF5DB4234B6731E'
Export-PfxCertificate -cert $path -FilePath c:\Certificates\cert.pfx -Password $pwd
504
Go to: Certificates > Personal > Certificates. Right-click on the certificate you wish to export and go to All Tasks and hit Export. Hit Next on the Certificate Export Wizard to begin the process. Select “Yes, export the private key” and hit next.
If the option "Yes, export the private key" is greyed out during you export this certificate, it means the private key of this certificate cannot be exported after this certificate is enrolled/requested.
The Export-PfxCertificate cmdlet exports a certificate or a PFXData object to a Personal Information Exchange (PFX) file. By default, extended properties and the entire chain are exported. Delegation may be required when using this cmdlet with Windows PowerShell® remoting and changing user configuration.
I know this is an older question, but I wanted to post my solution as I was having this same problem. I too was getting the dreaded Export-PfxCertificate : Cannot export non-exportable private key error while trying to export my PFX file. The problem started after loading my code-signing certificate on my Windows machine. When I went to export it, the export to PFX option was grayed out without further explanation. I then followed many of the instructions listed here, including Powershell Export-PfxCertificate. None of these worked. I finally went back to my Certificate provider GoDaddy and they informed me that in my Original Certificate Signing Request (CSR) I did not check the box Make Private Key Exportable. GoDaddy graciously, and without cost, allowed me to submit a new CSR (with that option checked,) to 'Rekey' my existing certificate. Within a couple of hours, my new certificate was issued. I installed it on my machine and was able to export directly from Windows MMC (no need to PowerShell.) I've included this screenshot of the box that must be checked when creating your CSR (may look different on different platforms.)
190
The problem isn't with the powershell code. The problem is with the certificate.
When a certificate is first imported or created, the private key must be marked as exportable in order for you to be able to export the private key.
The error message you have received indicates that the private key is not exportable on the certificate you are trying to use.
Example Issue
22
Maybe too late, but have you tried to run PowerShell script as administrator? (If you can export private key from mmc console, Export-PfxCertificate will export it also.)
7
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
