Skip to main content
search

[3 Steps] Exporting a Certificate not Marked as Exportable 

By August 31, 2020March 30th, 2023Blog, Microsoft, Security, Windows
Person Using Microsoft Windows

As a managed services provider (MSP), PEI is always searching for new ways to assist our clients. As part of our onboarding process, we take great care to ensure that no stone is left unturned and will work through every bit of information before implementing your new IT system set-up.

Specifically, we review all current certification authority (CA) certificates that are due to expire, subject alternate names (SAN), etc. One of the main issues we run into is that when a certificate is exported, it has been installed in another location. If you are trying to solve this problem without direct support from the vendor, the process can be strenuous. However, the cause may be as simple as the ‘mark the private key as exportable’ check box being left unchecked or missed completely. So, what can you do?

Using the Windows Registry Editor, or Regedit, a graphical tool in the Windows operating system (OS) that permits you to view the Windows registry and make edits, you can solve this issue quite simply. All it takes is some time and some effort to become familiar with its operations.

How to Retrieve and Export a Non-marked Certificate

  1. Open the non-exportable certificate in the certificate store to get the thumbprint of the certificate, also known as its unique value.
  2. Open Regedit to one of the Registry Key Paths below depending on where the certificate is stored and locate the registry key with the matching thumbprint value.
  3. Once you have exported the registry key, copy the export to the server you need to install the certificate on and import it into the registry. The certificate will appear in the certificate manager with the private key included.
  • Machine Store: HKLM\SOFTWARE\Microsoft\SystemCertificates\MY\Certificates
  • User Store: HKCU\SOFTWARE\Microsoft\SystemCertificates\MY\Certificates
Note: An export of the registry key will contain the complete certificate including the private key.

The new certificate will still be non-exportable, but you can use it as a backup of that certificate for future use if need be.

Myke Schwartz | PEI

You May Also Like

Breadth Vs Depth Best PracticesBlogComplete Managed CareManaged Services
April 12, 2024

Understanding Breadth vs. Depth When Comparing MSPs and How to Decide Which to Prioritize

Anna Ross 0
Managed Services Agreements Best PracticesBlogComplete Managed CareManaged Services
April 12, 2024

What to Look for in a Managed Services Agreement

Anna Ross 0
How to leave a contract with a managed service provider Best PracticesBlogComplete Managed CareManaged Services
April 12, 2024

How to Get out of a Managed Service Contract

Stephanie Hamrick 0

Leave a Reply

Close Menu