Marking private keys as non-exportable with certutil -importpfx
Published Jan 24 2020 01:41 PM 6,686 Views

First published on TECHNET on Jul 29, 2007

When importing a PFX-file with the certificate import wizard, you can choose if the private key should be exportable or not. Your choice is stored in the key storage property identifier that is key-storage specific. In other words, there is no information in the certificate about the exportability of the related private key. It is possible that if you import the same PFX-file into different computers that the private key is maked as exportable on one computer and is not marked as exportable on another.




To perform a PFX-file import at a command-line you may be familiar with the certutil -importPFX command. Since Windows Server 2003 SP1, certutil understands extra arguments to improve the PFX import.




Here is the abstract syntax:




certutil -importPFX {PFXfile} [NoExport|NoCert|AT_SIGNATURE|AT_KEYEXCHANGE]




To make the private key non-exportable, use the following command:




certutil -importPFX [PFXfile] NoExport




To just install the private key but not the certificate, use the NoCert argument. It can be combined with the NoExport argument.




certutil -importPFX [PFXfile] NoCert




There are two more arguments forcing AT_SIGNATURE or AT_KEYEXCHANGE. Both cannot be used in combination and may require a conversion to a RSA key.




certutil -importPFX [PFXfile] AT_SIGNATURE




certutil -importPFX [PFXfile] AT_KEYEXCHANGE


To combine multiple modifiers with one command, all modifiers must appear comma seperated as a single common line parameter. For example:


certutil -importPFX [PFXfile] "NoExport,AT_KEYEXCHANGE"


Version history
Last update:
‎Feb 20 2020 02:42 PM
Updated by: