[3 Steps] Exporting a Certificate not Marked as Exportable 

By August 31, 2020September 23rd, 2020Blog, Microsoft, Security, Windows
Person Using Microsoft Windows

As a managed services provider (MSP), PEI is always searching for new ways to assist our clients. As part of our onboarding process, we take great care to ensure that no stone is left unturned and will work through every bit of information before implementing your new IT system set-up.

Specifically, we review all current certification authority (CA) certificates that are due to expire, subject alternate names (SAN), etc. One of the main issues we run into is that when a certificate is exported, it has been installed in another location. If you are trying to solve this problem without direct support from the vendor, the process can be strenuous. However, the cause may be as simple as the ‘mark the private key as exportable’ check box being left unchecked or missed completely. So, what can you do?

Using the Windows Registry Editor, or Regedit, a graphical tool in the Windows operating system (OS) that permits you to view the Windows registry and make edits, you can solve this issue quite simply. All it takes is some time and some effort to become familiar with its operations.

How to Retrieve and Export a Non-marked Certificate

  1. Open the non-exportable certificate in the certificate store to get the thumbprint of the certificate, also known as its unique value.
  2. Open Regedit to one of the Registry Key Paths below depending on where the certificate is stored and locate the registry key with the matching thumbprint value.
  3. Once you have exported the registry key, copy the export to the server you need to install the certificate on and import it into the registry. The certificate will appear in the certificate manager with the private key included.
  • Machine Store: HKLM\SOFTWARE\Microsoft\SystemCertificates\MY\Certificates
  • User Store: HKCU\SOFTWARE\Microsoft\SystemCertificates\MY\Certificates
Note: An export of the registry key will contain the complete certificate including the private key.

The new certificate will still be non-exportable, but you can use it as a backup of that certificate for future use if need be.

Myke Schwartz | PEI

Leave a Reply