Exporting EFS certificate, new option to protect the private key to a security principal greyed out


  • I tried to back up the efs certificate using the Certificate Export Wizard. I chose to export the private key and when prompted to protect the .pfx file the window caption displayed the message "To maintain security, you must protect the private key to a security principal or by using a password.".
    I had two options to protect the .pfx file, the first option had the caption "Group or user names (recommended)" with "Add" and "Remove" buttons and the second option was the classic password protection. However the first option was greyed. Can anyone tell me how to enable the first option and how to use it?
    Best regards
    Saturday, March 24, 2012 3:01 PM


  • I found myself the answer to my own question. At http://msdn.microsoft.com/en-us/library/windows/desktop/aa387313(v=vs.85).aspx it is stated that, if the parameter dwFlags of the PFXExportCertStoreEx function contains PKCS12_PROTECT_TO_DOMAIN_SIDS, you can set the pvPara parameter of the same function to point to an NCRYPT_DESCRIPTOR_HANDLE value to identify which Active Directory principal the PFX password will be protected to inside of the PFX BLOB. So the reason why I was not able to use this functionality is that the machine was not part of an Active Directory.
    To further explain this functionality I past the explanation found on the same above link:
    “Beginning with Windows 8 and Windows Server 2012, you can protect the PFX password to an Active Directory user, computer, or group. If you choose to do so but do not create a password, a temporary password will be randomly selected. The password is encrypted by using the Active Directory principal and then embedded in the PFX BLOB. For more information, see the pvPara parameter and the PKCS12_PROTECT_TO_DOMAIN_SIDS flag.”

    • Marked as answer by Evolve_or_Die Saturday, August 04, 2012 11:03 PM
    Saturday, August 04, 2012 11:02 PM