While working with certificates today, I stumbled upon an error that indicated something was amiss with my CA certificate templates. Ordinarily I make only certificate templates with exportable private keys available in my CA web enrollment pages, and I’d explicitly requested and installed the certificate with the thumbprint shown in the error below.
So I donned my sleuth knickers, and decided to delve a little deeper.
An attempt to manually export the certificate with its private key from the certificate store indicated that there was no private key to be exported, as that option was greyed out
I identified the certificate template from which the certificate was created in the MMC | Certificates snap-in, and then reviewed the properties of the template to determine that the option to export the private key was indeed disabled. I also determined that this is typical of default/ built-in CA certificate templates.
I wrote an article on how to create certificate templates from a Windows Server 2012 R2 CA, and make the templates available for use in the CA web pages.