Hi All, I am going through the 'Export a certificate with the private key' - http://technet.microsoft.com/en-us/library/cc737187(WS.10).aspx link. In My Computer Certificates MMC, I have few certificates. I nned to export those with private key. How can I achieve this task using command line (batch file etc)? Thanks & Regards, Kedar

The problem of that command is that it will export a whole store. If only a certificate from a store is needed/wanted, then the certificate needs to be moved from the `My` store (or from any source store) to a temporary store, and, that store needs to be exported. This is a method used to export a self-signed certificate for Windows Azure RDP account, for example. The example below is in PowerShell, with one p/Invoke call for the part that is not in .NET 4.x $signature=@' [StructLayout(LayoutKind.Sequential)] public struct CRYPT_DATA_BLOB { public int cbData; public IntPtr pbData; } [DllImport("crypt32.dll", SetLastError=true)] public static extern Boolean PFXExportCertStoreEx( IntPtr hCertStore, ref CRYPT_DATA_BLOB pPFX, [MarshalAs(UnmanagedType.LPWStr)] String szPassword, IntPtr pvReserved, uint dwFlags ); const uint EXPORT_PRIVATE_KEYS = 0x0004; public static byte[] PFXExportCertStoreEx(IntPtr hCertStore, String szPassword) { CRYPT_DATA_BLOB ppfx = new CRYPT_DATA_BLOB(); ppfx.cbData = 0; ppfx.pbData = (System.IntPtr)0; PFXExportCertStoreEx(hCertStore,ref ppfx,szPassword,(System.IntPtr)0,EXPORT_PRIVATE_KEYS); byte[] returnValue = new byte[ppfx.cbData]; ppfx.pbData = Marshal.AllocHGlobal(ppfx.cbData); PFXExportCertStoreEx(hCertStore,ref ppfx,szPassword,(System.IntPtr)0,EXPORT_PRIVATE_KEYS); Marshal.Copy(ppfx.pbData, returnValue, 0, ppfx.cbData); Marshal.FreeHGlobal(ppfx.pbData); return returnValue; } '@ # load a new type to call the PFXExportCertStoreEx API $type = Add-Type -Name ExportStore -Namespace CRYPT32 -MemberDefinition $signature # # open an existing store # $store = new-object System.Security.Cryptography.x509Certificates.X509Store([System.Security.Cryptography.X509Certificates.StoreName]::My, [System.Security.Cryptography.X509Certificates.StoreLocation]::CurrentUser); $store.Open([System.Security.Cryptography.X509Certificates.OpenFlags]::ReadWrite) # # find the certificate that matches your interest # $cert = $store.Certificates | Where-Object { $_.Subject -eq "<subject-name-of-interest>" } # # make sure it has the private key # $cert.HasPrivateKey # # create a temporary store to export # $storeTemp = new-object System.Security.Cryptography.x509Certificates.X509Store("temp") $storeTemp.Open([System.Security.Cryptography.X509Certificates.OpenFlags]::ReadWrite) $storeTemp.Add($cert) # # call the API to export the whole store with 1 certificate into a byte array # $certbytes = [CRYPT32.ExportStore]::PFXExportCertStoreEx($storeTemp.StoreHandle,"p@ssw0rd") [System.IO.File]::WriteAllBytes("<path-to-PFX-file>",$certbytes); # # clean-up the temporary store # $storeTemp.Remove($cert) $storeTemp.Close(); # # also close the main store # $store.Close(); # # import the certificate in memory, and validate it has the private key # $validateCert = new-object System.Security.Cryptography.x509Certificates.x509Certificate2([System.IO.File]::ReadAllBytes("<path-to-PFX-file>"),"p@ssw0rd") $validateCert.HasPrivateKey

The problem of that command is that it will export a whole store. If only a certificate from a store is needed/wanted, then the certificate needs to be moved from the `My` store (or from any source store) to a temporary store, and, that store needs to be exported. You can do the same selection using the certutil -exportpfx command: CertUtil -exportPFX [CertificateStoreName] CertId CertId -- Certificate or CRL match token. This can be: a serial number, an SHA-1 certificate, CRL, CTL or public key hash, a numeric cert index (0, 1, etc.), a numeric CRL index (.0, .1, etc.), a numeric CTL index (..0, ..1, etc.), a public key, signature or extension ObjectId, a certificate subject Common Name, an e-mail address, UPN or DNS name, a key container name or CSP name, a template name or ObjectId, an EKU or Application Policies ObjectId, or a CRL issuer Common Name. /Hasain

C:\>certutil.exe -privatekey -exportpfx "1234" test.pfx MY CertUtil: -exportPFX command completed successfully. -------------------- I got this messgae after the running the command in my windows 2008 core machine ..now where i can find the exported certificate .....I want to export a certificate and install the same one on couple of other machines. any pointer would be highly appriciated.

This is what you should do to export a certficate with key from the current users My store: certutil -user -p "Password" -exportpfx My CertificateId output.pfx Password is the password that is used to protect the pfx CertificateId is either a serial number or thumbprint to identify a unique cert [other ways to identify a cert exist as well]. I believe this can allow for multiple matches if you use an EKU for example as the CertificateId. So you might be able to get certutil to export multiple certs. I don't know for sure. You must put something for CertificateId. By default, the whole cert chain will be attempted to be exported to output.pfx. Andrew