- Activate BitLocker with manage-bde, PowerShell, or WMI - Wed, Sep 20 2023
- Join Azure Active Directory with Windows 11 - Tue, Sep 12 2023
- Manage enhanced security mode in Microsoft Edge using Group Policy - Fri, Sep 8 2023
Windows saves certificates in a local store, whose contents can be read and analyzed with certmgr.msc, certlm.msc, or PowerShell. For example, to display the certificates under Persona > Certificates for the local computer, you can use the following PowerShell command:
This is also the first step when you want to export a certificate. It allows you to determine its properties, such as the thumbprint or whether it has a private key:
Get-ChildItem Cert:\LocalMachine\my | where HasPrivateKey -eq $true
Export certificate without a private key
If a certificate doesn't include a private key, the key is not exportable, or you simply do not want to export it, you can save the certificate to a CER file.
Windows uses the .cer file extension for both the Base64-encoded PEM format and the binary DER format. Alternatively, you also have the option to use the PKCS #7 format with the .p7b file extension.
PFX (PKCS #12) for private key
If you want to export a certificate along with its private key, Windows provides the PFX format (PKCS #12). This type of file is stored in an encrypted format to protect the private key. To enhance security, you must secure the PFX file with a password or restrict access to specific principals (groups or users).
Export via GUI
The MMC-based tools certmgr.msc and certlm.msc contain the Export command in the context menu of a certificate under All Tasks.
This command starts a wizard. If the certificate has a private key, it will ask you, after the welcome dialog box, in case you want to export it.
Depending on your selection, you will be presented with the export options described earlier: CER or P7B if your answer is no, or else PFX. For CER and P7B exports, you will only need to provide the file name and complete the process.
For the PFX export, there is an additional step where you need to set a password or choose a security principal.
Exporting a certificate using PowerShell
In PowerShell, there are two separate cmdlets for exporting certificates, depending on the desired format. For exporting without the private key, you can use Export-Certificate. The optional Type parameter supports CERT, P7B, and SST. The latter can store multiple certificates. The CERT format uses the DER-encoded binary format; the Base64 variant is not available here. CERT is the default format.
Here's an example of what the command could look like:
Export-Certificate -Type CERT -FilePath mycert.crt -Cert Cert:\LocalMachine\my\<Thumbprint>
To export the certificate in PFX format, Microsoft provides the Export-PfxCertificate cmdlet. This cmdlet requires either the Password or the ProtectTo parameter to secure the file. The password must be specified as a secure string:
$pw = Read-Host -Prompt "Enter Password" -AsSecureString Export-PfxCertificate -Password $pw -FilePath 9B.pfx -Cert Cert:\LocalMachine\my\9B0F26A0795B30C896F7A8F52D3E91F5AE80127B
The ProtectTo parameter expects a value like "domain\user" or "domain\group", and you can separate multiple values by using commas.
Exporting certificates from the registry
Another option for exporting certificates is dumping them from the registry database. This method is particularly useful when the private key has been marked as non-exportable. The export restriction is not a property of the certificate itself, but rather a feature of the Windows Certificate Store. This behavior is activated by checking the corresponding option during the creation of the certificate signing request (CSR).
While this feature protects the private key from theft, it can be a hindrance in certain situations. For example, you might need to migrate a critical service to another computer, and you cannot easily replace the certificate.
In such situations, both MMC-based tools and PowerShell will refuse to export the certificate in PFX format.
However, this restriction does not apply to the registry. For example, to export a computer certificate from Personal, open the HKEY_LOCAL_MACHINE hive of the Registry Editor, and navigate to \SOFTWARE\Microsoft\SystemCertificates\My\Certificates.
There, you can identify the desired certificate by its thumbprint and execute the Export command from its context menu.
In the dialog box that appears, leave the Export range setting on Selected branch and specify a name for the file.
Transfer the resulting REG file to the target computer and import the certificate by double-clicking the file name in Explorer.
It's important to note that this process inherently marks the private key on the destination computer as nonexportable, even if the original certificate allows the export of the private key.
When exporting a certificate from a Windows computer's store, the available target format depends on whether you include the private key. If you export the certificate without the private key, you can choose between the CER and the P7B formats. Otherwise, PFX (PKCS #12) is used for exporting with the private key.
For this purpose, you can use the relevant MMC snap-ins or PowerShell. The latter offers two separate cmdlets for this task.
Subscribe to 4sysops newsletter!
An important option is export via the registry. This method allows you to export the private key, even if it is marked as nonexportable.