Export Not Exportable Private Key

💣 👉🏻👉🏻👉🏻 ALL INFORMATION CLICK HERE 👈🏻👈🏻👈🏻

Enterprise IT, rock climber and geek
When importing a certificate and private key in Windows (e.g. from a PFX file), you are given the option to mark the key as exportable. If this is not ticked, it is not possible to export the private key at a later date.
The below instructions provide a method of extracting the private key into a PFX file.
Follow the below instructions. A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0 is the thumbprint of the certificate.
From a PowerShell prompt, run the following commands to identify the file where the private key is stored:
From an elevated command prompt use PsExec to spawn a command prompt in the SYSTEM context and extract the private key data.
On a non-production computer import the public certificate part (.cer/.crt). Copy the file from above to C:\ .
From a PowerShell prompt, find the GUID that represents this computer.
Rename the file you placed in C:\ so that the value after the underscore (_) matches the MachineGuid value. In our example, the file will now be named
50ed65430216d17c6e6efff6819c923b_2801936f-1239-4daa-89e5-f78df0ae0f2a
From a PowerShell prompt, move the file to the certificate store on this machine
If you now check the local machine certificate store you will notice a padlock icon against the certificate, indicating the private key is available. You can now export the certificate with the private key.
Dave works in IT for a leading UK based retirement developer, in his spare time he enjoys tinkering with technology and rock climbing. View all posts by Dave Hope
I tried this, but `$a.PrivateKey` is null for keys marked as non-exportable (it works if they are *not* marked like this).
I checked with `certutil -store my A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0 instead, which provides the container name – but there is no file on disk with the same name.
So I found the key, but in `C:\Users\All Users\Microsoft\Crypto\Keys` instead of `C:\Users\All Users\Microsoft\Crypto\RSA\MachineKeys`.
After copying this to a non-prod machine and running certutil, I get:
“`
Cannot find the certificate and private key for decryption.
CertUtil: -repairstore command FAILED: 0x80090010 (-2146893808 NTE_PERM)
CertUtil: Access denied.
“`
Forgot to add that before the error message it asks me to connect a smart card.
Maybe the private key was encrypted using TPM
Dave,
Your post would be really helpful if I could follow it. having trouble with the very first line. When using PS, I can use the $a = Get-Item and them PS prompts me for input. I pop in the Cert:\LocalMachine\My\A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0 but that’s where it falls apart. I can’t get it to return a value.
thx for the method, but I could not make it to work On Windows 2016. The thing failed on certutil step saying that the encryption does not match or something
Hello, thanks for the article, however, I cannot perform the last step
`certutil -repairstore my AA73A8D8B69122DB7A861257400E52E4C14E39E5`
I assume it is a thumbprint of a certificate?
certutil -repairstore my 156A44C4E11DFBACDDFB400700F264D9DFB1258F my “Personal”
CertUtil: -repairstore command FAILED: 0x80090011 (-2146893807 NTE_NOT_FOUND)
CertUtil: Object was not found.
And the file in folder has type `File`, whereas other files have type `System File`.
Ouch, I missed a step with importing a certificate.
After I did it, I get the following error:
certutil -repairstore my 156A44C4E11DFBACDDFB400700F264D9DFB1258F
my “Personal”
================ Certificate 1 ================
Serial Number: …
Issuer: E=…
NotBefore: 26-9-2017 15:05
NotAfter: 25-9-2022 15:05
…
Signature matches Public Key
Root Certificate: Subject matches Issuer
Cert Hash(sha1): …
No key provider information
Cannot find the certificate and private key for decryption.
CertUtil: -repairstore command FAILED: 0x8009000b (-2146893813 NTE_BAD_KEY_STATE)
CertUtil: Key not valid for use in specified state.
Hi Dave, your last lines are
…
From an elevated cmd prompt, run:
C:> certutil -repairstore my AA73A8D8B69122DB7A861257400E52E4C14E39E5
…
Where this ‘AA73A8D8B69122DB7A…’ came from ?
If you are seeing the key in: `C:\Users\All Users\Microsoft\Crypto\Keys` instead of `C:\Users\All Users\Microsoft\Crypto\RSA\MachineKeys` this may be because you are trying to get the root CA certificate from a Microsoft Windows Certificate Authority, rather than just a key of a web server cert for example.
Hi Dave, everything worked as you instructed except the file copy as system, It reported it could not find the file. I browsed to the same local in file explorer (as admin) with system files displayed and was able to see and copy the file.
I exported the existing certificate with the non exportable private key as a DER cer file
Copied the exported certificate and the copied file to another server, found the machine GUID from the new server and renamed the suffix on the file. Copied it into the same location on the new server and used the certificate mmc plug in to imported the certificate into the personal folder of the local machine store along with the intermediate certificates. I then ran the certutil command and it is unable to repair:-
No key provider information
Cannot find the certificate and private key for decryption.
CertUtil: -repairstore command FAILED: 0x8009000b (-2146893813 NTE_BAD_KEY_STATE)
CertUtil: Key not valid for use in specified state.
Great article! Just you missed where the “AA73A8D8B69122DB7A861257400E52E4C14E39E5” comes from.
ANSWER:
After importing the certificate, you need to run:
certutil.exe -store my
You’ll get a list of your certificates. Locate the imported certificate and take note of its “Cert Hash(sha1)” number.
That number will be used for “certutil -repairstore my”.
Your email address will not be published. Required fields are marked *
This site uses Akismet to reduce spam. Learn how your comment data is processed.

When migrating from one computer system to another, it may be necessary to transfer or import/export certificates from one system to another but there can be issues when exporting the private key from the source system. When installing a certificate, the private key is not marked as exportable by default as shown below and if one is not paying attention could click right by it, not realizing their potential mistake until years later when needing to export the certificate to a new machine:
If Mark this key as exportable is not checked, you can still export the certificate on the source system and import it onto the destination system without any problems…at least on the surface. You won’t know there’s an issue until you try to access a secure site which requires the private key to complete an authentication request at which point you wonder how in the world you’re going to get the private key.
If the source machine is a 32-bit machine, you can use a utility called Jailbreak to export “non-exportable” private keys/certificates.
1. Once downloaded, extract the contents of Jailbreaks ZIP file and execute Jailbreak.exe. In the screenshot, I have right-clicked and have “Run as” selected because Administrative rights are required to run it. However, in this case, the certificate I needed to export was a User specific, not a machine specific certificate so I needed to run Jailbreak as the user, thus the user was added into the local Administrators group and “Run as” was not required.
2. Jailbreak will launch a Jailbreak MMC Certificates console as shown below. Locate the certificate in question and then In this case, the certificate was in the Current User | Personal certificate store. Right-click the certificate and choose Export.
3. On the Export Private Key screen, select Yes, export the private key and click Next to continue. Complete the export wizard and then import the newly exported certificate onto the destination system. With the private key, any applications/sites requiring the private key should work just fine.
Your email address will not be published. Required fields are marked *
Notify me of new comments via email.
Already have a WordPress.com account? Log in now.

A Wife And Mother Mod
Photos Naked Teen Boy
18 Pussy Close Up
Videos Xxx Lucy
10 Yoshli Xxx
Recovering a certificate where the private key is marked ...
SSL: How to Export Non-Exportable Private Keys – ballblog
How to export non-exportable private key from store ...
[3 Steps] Exporting a Certificate not Marked as Exportable ...
jailbreak for Windows 10: Export unexportable private key ...
Can not export private key because the option is greyed ...
export certificates using powershell Export-PfxCertificate ...
Export non-exportable private key windows - xspdf.com
Export Not Exportable Private Key