Share via

Marking private keys as non-exportable with certutil -importpfx

  • Article

When importing a PFX-file with the certificate import wizard, you can choose if the private key should be exportable or not. Your choice is stored in the key storage property identifier that is key-storage specific. In other words, there is no information in the certificate about the exportability of the related private key. It is possible that if you import the same PFX-file into different computers that the private key is maked as exportable on one computer and is not marked as exportable on another.

To perform a PFX-file import at a command-line you may be familiar with the certutil -importPFX command. Since Windows Server 2003 SP1, certutil understands extra arguments to improve the PFX import.

Here is the abstract syntax:

certutil -importPFX {PFXfile} [NoExport|NoCert|AT_SIGNATURE|AT_KEYEXCHANGE]

To make the private key non-exportable, use the following command:

certutil -importPFX [PFXfile] NoExport

To just install the private key but not the certificate, use the NoCert argument. It can be combined with the NoExport argument.

certutil -importPFX [PFXfile] NoCert

There are two more arguments forcing AT_SIGNATURE or AT_KEYEXCHANGE. Both cannot be used in combination and may require a conversion to a RSA key.

certutil -importPFX [PFXfile] AT_SIGNATURE

certutil -importPFX [PFXfile] AT_KEYEXCHANGE

To combine multiple modifiers with one command, all modifiers must appear comma seperated as a single common line parameter. For example:

certutil -importPFX [PFXfile] "NoExport,AT_KEYEXCHANGE"

Comments

  • Anonymous
    January 01, 2003
    try certutil -user -p "Password" -importpfx "C:PFXFILENAME.pfx"

  • Anonymous
    January 01, 2003
    There is a new version of mimikatz that also support CNG export :) (windows vista / seven / 2008 ...)

  1. download (and launch with administrative privileges) : blog.gentilkiwi.com/mimikatz (trunk version for last version)
  2. privilege::debug (or not if you're already system)
  3. crypto::patchcng (nt 6) and/or crypto::patchcapi (nt 5 & 6)
  4. crypto::exportCertificates and/or crypto::exportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE pfx files are passwords protected "mimikatz" Regards

  • Anonymous
    January 01, 2003
    As noted in this article Visual Studio 2005 cannot handle PKCS#12 files that hold several certificates

  • Anonymous
    January 01, 2003
    Through a recent migration we needed to move a large number of SSL certificates. After spending a lot

  • Anonymous
    January 01, 2003
    The comment has been removed

  • Anonymous
    January 22, 2012
    The comment has been removed

    • Anonymous
      September 23, 2016
      " -user " should appear before "-importpfx".

  • Anonymous
    February 05, 2015
    > (blah blah blah, Windows has no security...)
    > ...
    > launch with administrative privileges

    So - in other words, to pwn the machine, you need to... pwn the machine ALREADY? :D

    http://blogs.msdn.com/b/oldnewthing/archive/2007/09/20/5002739.aspx