Windows Certificate Authority CA Export Certificate With Private Key

Share This:

Windows Certificate Authority CA Export Certificate With Private Key 1

When you send a certificate request from a server to a Windows Certificate Authority (CA), the server stores a private key for that certificate. For security reasons, the Certificate Authority doesn’t keep that private key. If you try to export a certificate from the Issued folder on the CA, you can only export (Copy To File) as a .cer file, which won’t include the private key.

If you follow the steps above to export the certificate, you can still import the certificate onto the server, but in the Certificate Manager MMC, you won’t see the key icon showing that it has a private key. On that server, you can run the certutil -repairstore my "SerialNumber" command to repair the certificate store for that certificate, which will re-pair it with the private key.

You can follow these Microsoft steps to go through the whole process.

If you copy the serial number from the certificate, it will copy a unicode ? character. You can save it in Notepad and follow the steps documented here. Then you’ll use the ANSI version of the Serial Number to paste it into this command:

certutil -repairstore my "SerialNumber"

If you’re still having issues, you can export the public/private key pair to a .pfx file, then delete the key from the server and re-import it.

Share This:


Leave a Reply