In order to export the private key for a certificate, you will need to base the certificate on a template that has that option enabled. While this task can be easily accomplished using PowerShell, I’ll document a step by step using the GUI to show what this entails.
- Open Server Manager in your CA, click Tools, select Certificate Authority
- Select your CA, select and right-click Certificate Templates, and right-click Manage
- In the Certificate Templates Console, select the relevant Template Display Name (Web Server in my case), right-click and select Duplicate Template
- In the resulting Properties of New Template window, leave the default compatibility settings for backward compatibility with older clients
- Click on the General tab, and enter the Template display name, and select your preferred Validity period
- Click on the Request Handling tab, and check the option to Allow private key to be exported
- Click on the Cryptography tab, and confirm that the Minimum key size is at least 2048. This is the default in Server 2012 R2. Leave the default Cryptography settings as the defaults are secure enough given a strong enough key size.
- Click on the Extensions tab, and confirm that the selected Server Application Policies description (Server Authentication in my case) is sufficient.This is based on the template type you selected in step 3. above. If you would like to expand the application policies to include other authentication types, you can click on Edit to Add other authentication types
- Click on the Security tab, and confirm that Authenticated users have Read access. Click Apply, and OK to save the template.
This concludes the steps for creating your template that will enable you to export a private key.
After creating the template, we now have to make the template available for use in the web enrollment pages
- In Certificate Authority, select Certificate Templates, right-click and select New. Select Certificate Template to Issue
- In the Enable Certificate Templates windows select your newly created template and click OK
This now makes the newly created template available for use.
And available for use when requesting a new certificate from the CA via the web enrollment pages.
And after you request and install the issued certificate, you will now be able to export the certificate with the private key.
Explore the Export-PfxCertificate cmdlet for use in exporting a certificate or PFXData object.