Export certificate as CER, DER, P7B, or PFX

Home Blog Export certificate as CER, DER, P7B, or PFX

4sysops - The online community for SysAdmins and DevOps

    ,   1
When transferring a certificate to another computer, it is common practice to export it from the cert store and then import it on the target system. The available export formats depend on whether you want to transfer the private key as well and whether the private key is exportable.
Contents
  1. Export certificate without a private key
  2. PFX (PKCS #12) for private key
  3. Export via GUI
  4. Exporting a certificate using PowerShell
  5. Exporting certificates from the registry
  6. Summary
Latest posts by Wolfgang Sommergut (see all)

Windows saves certificates in a local store, whose contents can be read and analyzed with certmgr.msc, certlm.msc, or PowerShell. For example, to display the certificates under Persona > Certificates for the local computer, you can use the following PowerShell command:

Get-ChildItem Cert:\LocalMachine\my

This is also the first step when you want to export a certificate. It allows you to determine its properties, such as the thumbprint or whether it has a private key:

Get-ChildItem Cert:\LocalMachine\my | where HasPrivateKey -eq $true

Export certificate without a private key

If a certificate doesn't include a private key, the key is not exportable, or you simply do not want to export it, you can save the certificate to a CER file.

Windows uses the .cer file extension for both the Base64-encoded PEM format and the binary DER format. Alternatively, you also have the option to use the PKCS #7 format with the .p7b file extension.

Export options for certificates without private keys or when the private key should not be exported

Export options for certificates without private keys or when the private key should not be exported

PFX (PKCS #12) for private key

If you want to export a certificate along with its private key, Windows provides the PFX format (PKCS #12). This type of file is stored in an encrypted format to protect the private key. To enhance security, you must secure the PFX file with a password or restrict access to specific principals (groups or users).

When exporting to PFX format you have the option of choosing what is included in the file

When exporting to PFX format you have the option of choosing what is included in the file

Export via GUI

The MMC-based tools certmgr.msc and certlm.msc contain the Export command in the context menu of a certificate under All Tasks.

Export command in the context menu of certificates in certlm.msc_

Export command in the context menu of certificates in certlm.msc_

This command starts a wizard. If the certificate has a private key, it will ask you, after the welcome dialog box, in case you want to export it.

Depending on your selection, you will be presented with the export options described earlier: CER or P7B if your answer is no, or else PFX. For CER and P7B exports, you will only need to provide the file name and complete the process.

For the PFX export, there is an additional step where you need to set a password or choose a security principal.

The exported private key must be protected by a password or a security principal

The exported private key must be protected by a password or a security principal

Exporting a certificate using PowerShell

In PowerShell, there are two separate cmdlets for exporting certificates, depending on the desired format. For exporting without the private key, you can use Export-Certificate. The optional Type parameter supports CERT, P7B, and SST. The latter can store multiple certificates. The CERT format uses the DER-encoded binary format; the Base64 variant is not available here. CERT is the default format.

Here's an example of what the command could look like:

Export-Certificate -Type CERT -FilePath mycert.crt -Cert Cert:\LocalMachine\my\<Thumbprint>
Exporting a certificate without a private key in DER format

Exporting a certificate without a private key in DER format

To export the certificate in PFX format, Microsoft provides the Export-PfxCertificate cmdlet. This cmdlet requires either the Password or the ProtectTo parameter to secure the file. The password must be specified as a secure string:

$pw = Read-Host -Prompt "Enter Password" -AsSecureString
Export-PfxCertificate -Password $pw -FilePath 9B.pfx -Cert Cert:\LocalMachine\my\9B0F26A0795B30C896F7A8F52D3E91F5AE80127B

The ProtectTo parameter expects a value like "domain\user" or "domain\group", and you can separate multiple values by using commas.

Exporting certificates from the registry

Another option for exporting certificates is dumping them from the registry database. This method is particularly useful when the private key has been marked as non-exportable. The export restriction is not a property of the certificate itself, but rather a feature of the Windows Certificate Store. This behavior is activated by checking the corresponding option during the creation of the certificate signing request (CSR).

While this feature protects the private key from theft, it can be a hindrance in certain situations. For example, you might need to migrate a critical service to another computer, and you cannot easily replace the certificate.

In such situations, both MMC-based tools and PowerShell will refuse to export the certificate in PFX format.

The certificate has a private key but it cannot be exported

The certificate has a private key but it cannot be exported

However, this restriction does not apply to the registry. For example, to export a computer certificate from Personal, open the HKEY_LOCAL_MACHINE hive of the Registry Editor, and navigate to \SOFTWARE\Microsoft\SystemCertificates\My\Certificates.

There, you can identify the desired certificate by its thumbprint and execute the Export command from its context menu.

Command for exporting a certificate from the registry

Command for exporting a certificate from the registry

In the dialog box that appears, leave the Export range setting on Selected branch and specify a name for the file.

Dialog box for saving the certificate in a REG file

Dialog box for saving the certificate in a REG file

Transfer the resulting REG file to the target computer and import the certificate by double-clicking the file name in Explorer.

It's important to note that this process inherently marks the private key on the destination computer as nonexportable, even if the original certificate allows the export of the private key.

Summary

When exporting a certificate from a Windows computer's store, the available target format depends on whether you include the private key. If you export the certificate without the private key, you can choose between the CER and the P7B formats. Otherwise, PFX (PKCS #12) is used for exporting with the private key.

For this purpose, you can use the relevant MMC snap-ins or PowerShell. The latter offers two separate cmdlets for this task.

Subscribe to 4sysops newsletter!

An important option is export via the registry. This method allows you to export the private key, even if it is marked as nonexportable.

avataravatar
Related Articles
1 Comment
  1. Surender Kumar (Rank 4) 1 month ago

    I need to deal with a lot of certificate export/imports at work. The registry trick is quite useful when rekeying is not an option. Really informative post 🙂

    Reply

Leave a reply

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2023

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account