Can't export private key

When trying to export my certificate through IE, I follow the instructions, but when the Wizard comes up the option to Export the Private key is greyed out and it says below.

Note: The associated private key is marked as not exportable. Only the certificate can be exported.

Is there anyway around this, I know that it is not a full backup if the private key isn’t included.

Hi, tmarlow,
sorry, but I don’t have the answer.

I have however the same problem as you describe.

Maybe somebody is able to help us soon…???

I really like to backup my certificate to a safe place.

Thanks from kulaworld

Same problem here. I am using Windows Vista Business with IE7.

Contact support and ask them to revoke the certificate.

Once done re-request the certificate and ensure you open the Advanced Private Key Options area BEFORE you submit the request. You’ll see amongst the items displayed you’ll have a checkbox (already checked) for Exportable? which you can leave checked.

That’s all you need to do folks :BNC It looks like the default behavior is to Not allow the Private Key to be exportable.

With thanks to Mark at Technical support for taking me though that one. (:CLP)


Hi Rachel,

thanks for your help, muchly appreciated.

I had my certificate revoked.
I also removed the certificate from the personal certificates list.
So far I have not requested a new certificate.

One thing is not so clear to me now.
B.t.w. I have IE7.

Under Certificates, Advanced Options, it shows me a list called Certificate purposes (all items are checked),
but none of these “purposes” is called exportable.
Am I looking in the wrong spot here?
Did I miss something?

Further help will be appreciated.



Yes, you’re looking in the wrong place. The option is on the certificate request form, but only if you are using Internet Explorer, not with Thunderbird. When applying for a certificate using Internet Explorer, there is a request to allow the Active-X Control “Certificate Enrollment Control”. When it installs, a link for Advanced Private Key Options appears immediately above the section for the Revocation Password. Clicking on the link opens a form with options for CSP, Key Size, Exportable, and User Protected. When Firefox is used with the default rendering engine, there is only an option for key size. Using the IE engine in Firefox for the same page gets the advanced options link.


Active X should be enabled on IE or you have to add as trust web site on IE browser options of trusted site.

If you find a problem in applying the certificate, then please let me know your exact browser version

Looks like the issue is on the pc and how your private key is mathematically challenged with the public key. At some point, you cannot put them toghether, as you have lost access to your private key.


From your DOS command line prompts, Copy and paste this command line. It will reassign your private key access to your account. Then try to export your cert from your browser. You should have the private key option available

cacls “%USERPROFILE%\Application Data\Microsoft\Crypto\RSA” /T /E /C /G “%USERDOMAIN%%USERNAME%”:F
( there is one space between G and the next “
Let me know if this helps


Just for the fun to export when the private key is greyed out >:-D

A new version that support CNG & CryptoAPI :slight_smile:

  • download (and launch with administrative privileges) : (trunk version for last version)
  • privilege::debug (or not if you’re already system or target only CryptoApi)
  • crypto::patchcng (nt 6) and/or crypto::patchcapi (nt 5 & 6)
  • crypto::exportCertificates and/or crypto::exportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE

pfx files are passwords protected “mimikatz” 88)