none
Export Certificate using Private key RRS feed

Answers

  • Use CertUtil command.

    Example:

    • certutil.exe -privatekey -exportpfx "Computer" Computer.pfx
    • certutil.exe -privatekey -exportpfx "My Root CA" My_Root_CA.pfx

    Syntax:

      CertUtil [Options] -exportPFX [CertificateStoreName] CertId PFXFile [Modifiers]

    Use Certutil -privatekey -exportpfx /? command to see detailed usage.


    Manoj
    • Marked as answer by Bruce-Liu Wednesday, October 26, 2011 6:57 AM
    Friday, October 21, 2011 8:14 AM

All replies

  • Use CertUtil command.

    Example:

    • certutil.exe -privatekey -exportpfx "Computer" Computer.pfx
    • certutil.exe -privatekey -exportpfx "My Root CA" My_Root_CA.pfx

    Syntax:

      CertUtil [Options] -exportPFX [CertificateStoreName] CertId PFXFile [Modifiers]

    Use Certutil -privatekey -exportpfx /? command to see detailed usage.


    Manoj
    • Marked as answer by Bruce-Liu Wednesday, October 26, 2011 6:57 AM
    Friday, October 21, 2011 8:14 AM
  • The problem of that command is that it will export a whole store.

    If only a certificate from a store is needed/wanted, then the certificate needs to be moved from the `My` store (or from any source store) to a temporary store, and, that store needs to be exported.

    This is a method used to export a self-signed certificate for Windows Azure RDP account, for example.

    The example below is in PowerShell, with one p/Invoke call for the part that is not in .NET 4.x

    $signature=@'
    [StructLayout(LayoutKind.Sequential)]
    public struct CRYPT_DATA_BLOB {
       public int cbData;
       public IntPtr pbData;
    }
     
    [DllImport("crypt32.dll", SetLastError=true)]
        public static extern Boolean PFXExportCertStoreEx(
            IntPtr hCertStore,
            ref CRYPT_DATA_BLOB pPFX,
            [MarshalAs(UnmanagedType.LPWStr)] String szPassword,
            IntPtr  pvReserved,
            uint   dwFlags
            );

    const uint EXPORT_PRIVATE_KEYS = 0x0004;

    public static byte[]
    PFXExportCertStoreEx(IntPtr hCertStore, String szPassword)
    {
        CRYPT_DATA_BLOB ppfx = new CRYPT_DATA_BLOB();
        ppfx.cbData = 0;
        ppfx.pbData = (System.IntPtr)0;

        PFXExportCertStoreEx(hCertStore,ref ppfx,szPassword,(System.IntPtr)0,EXPORT_PRIVATE_KEYS);

        byte[] returnValue = new byte[ppfx.cbData];
        ppfx.pbData = Marshal.AllocHGlobal(ppfx.cbData);

        PFXExportCertStoreEx(hCertStore,ref ppfx,szPassword,(System.IntPtr)0,EXPORT_PRIVATE_KEYS);

        Marshal.Copy(ppfx.pbData, returnValue, 0, ppfx.cbData);

        Marshal.FreeHGlobal(ppfx.pbData);

        return returnValue;
    }
    '@

    # load a new type to call the PFXExportCertStoreEx API
    $type = Add-Type -Name ExportStore -Namespace CRYPT32 -MemberDefinition $signature

    #
    # open an existing store
    #
    $store = new-object System.Security.Cryptography.x509Certificates.X509Store([System.Security.Cryptography.X509Certificates.StoreName]::My, [System.Security.Cryptography.X509Certificates.StoreLocation]::CurrentUser);
    $store.Open([System.Security.Cryptography.X509Certificates.OpenFlags]::ReadWrite)
    #
    # find the certificate that matches your interest
    #
    $cert = $store.Certificates | Where-Object { $_.Subject -eq "<subject-name-of-interest>" }
    #
    # make sure it has the private key
    #
    $cert.HasPrivateKey

    #
    # create a temporary store to export
    #
    $storeTemp = new-object System.Security.Cryptography.x509Certificates.X509Store("temp")
    $storeTemp.Open([System.Security.Cryptography.X509Certificates.OpenFlags]::ReadWrite)
    $storeTemp.Add($cert)

    #
    # call the API to export the whole store with 1 certificate into a byte array
    #
    $certbytes = [CRYPT32.ExportStore]::PFXExportCertStoreEx($storeTemp.StoreHandle,"p@ssw0rd")
    [System.IO.File]::WriteAllBytes("<path-to-PFX-file>",$certbytes);

    #
    # clean-up the temporary store
    #
    $storeTemp.Remove($cert)
    $storeTemp.Close();

    #
    # also close the main store
    #
    $store.Close();

    #
    # import the certificate in memory, and validate it has the private key
    #
    $validateCert = new-object System.Security.Cryptography.x509Certificates.x509Certificate2([System.IO.File]::ReadAllBytes("<path-to-PFX-file>"),"p@ssw0rd")
    $validateCert.HasPrivateKey

    Thursday, October 27, 2011 11:01 AM
  • The problem of that command is that it will export a whole store.

    If only a certificate from a store is needed/wanted, then the certificate needs to be moved from the `My` store (or from any source store) to a temporary store, and, that store needs to be exported.

    You can do the same selection using the certutil -exportpfx command:

    CertUtil -exportPFX [CertificateStoreName] CertId

     CertId -- Certificate or CRL match token.  This can be:

    • a serial number,
    • an SHA-1 certificate, CRL, CTL or public key hash,
    • a numeric cert index (0, 1, etc.),
    • a numeric CRL index (.0, .1, etc.),
    • a numeric CTL index (..0, ..1, etc.),
    • a public key, signature or extension ObjectId,
    • a certificate subject Common Name,
    • an e-mail address, UPN or DNS name,
    • a key container name or CSP name,
    • a template name or ObjectId,
    • an EKU or Application Policies ObjectId,
    • or a CRL issuer Common Name.

    /Hasain

     

    Thursday, October 27, 2011 11:21 AM
  • C:\>certutil.exe -privatekey -exportpfx "1234" test.pfx
    MY
    CertUtil: -exportPFX command completed successfully. -------------------- I got this messgae after the running the command in my windows 2008 core machine ..now where i can find the exported certificate .....I want to export a certificate and install the same one on couple of other machines. any pointer would be highly appriciated.

    Friday, May 18, 2012 4:24 AM
  • This is what you should do to export a certficate with key from the current users My store:

    certutil -user -p "Password" -exportpfx My CertificateId output.pfx

    Password is the password that is used to protect the pfx

    CertificateId is either a serial number or thumbprint to identify a unique cert [other ways to identify a cert exist as well]. I believe this can allow for multiple matches if you use an EKU for example as the CertificateId. So you might be able to get certutil to export multiple certs. I don't know for sure.

    You must put something for CertificateId.
    By default, the whole cert chain will be attempted to be exported to output.pfx.

    Andrew

    Sunday, May 20, 2012 2:23 AM