Create a Certificate Template from a Server 2012 R2 CA

In order to export the private key for a certificate, you will need to base the certificate on a template that has that option enabled. While this task can be easily accomplished using PowerShell, I’ll document a step by step using the GUI to show what this entails.

Open Server Manager in your CA, click Tools, select Certificate Authority

Select your CA, select and right-click Certificate Templates, and right-click Manage
In the Certificate Templates Console, select the relevant Template Display Name (Web Server in my case), right-click and select Duplicate Template

In the resulting Properties of New Template window, leave the default compatibility settings for backward compatibility with older clients

Click on the General tab, and enter the Template display name, and select your preferred Validity period

Click on the Request Handling tab, and check the option to Allow private key to be exported

Click on the Cryptography tab, and confirm that the Minimum key size is at least 2048. This is the default in Server 2012 R2. Leave the default Cryptography settings as the defaults are secure enough given a strong enough key size.

Click on the Extensions tab, and confirm that the selected Server Application Policies description (Server Authentication in my case) is sufficient.This is based on the template type you selected in step 3. above. If you would like to expand the application policies to include other authentication types, you can click on Edit to Add other authentication types
Click on the Security tab, and confirm that Authenticated users have Read access. Click Apply, and OK to save the template.