In some cases there is a need to export an installed certificate from the Windows certificate store so that it can be installed on another system. One common use case is installing the same certificate on all nodes of a web server cluster. Another is exporting and converting the format of a certificate for use on a Linux system or with a Java certificate store.
This page provides instructions to accomplish a certificate export from the local machine store. Exporting a certificate from another personal certificate store is similar, but you will need to login as the user that owns the particular certificate store and navigate to the appropriate folder there rather than under the local machine store.
- Log in as an Administrator.
- From a command prompt or the run menu enter "mmc".
- Open your Local Computer certificates (click File > Add/Remove Snap-in... > Certificates > Computer account > Next > Local computer > Finish > OK).
- In the folder structure navigate to Certificates (Local Computer) > Personal > Certificates.
- Right-click on the certificate you want to export and choose All Tasks > Export > Next.
- Select "Yes, export the private key" then "Next". If this option is grayed out it means whoever created the certificate originally did not mark the private key as exportable. You will not be able to export the certificate in this situation, so you will need to request a new certificate and start over–see Obtain a Certificate on Windows Server 2008 R2 and 2012 (Without Using IIS).
- Select the PKCS#12 option.
- Check the box for "Include all certificates in the certification if possible".
- If you will no longer need the certificate and private key on this system check "Delete the private key if the export is successful". Do not select this option if you still need to use this certificate on this system.
- Check the box to "Export all extended properties".
- Click "Next".
- Provide a password for the private key if you are prompted.
- Save the file somewhere safe as something like certname.pfx.
Extracting the Certificate and Private Key
A .pfx file can be used to import the certificate and private key into any other Windows system. If you need separate certificate and key files for another application (e.g. Linux host, Java keystore) you can use the OpenSSL tools to extract these items. See Extracting Certificate and Private Key Files from a .pfx File.