Sometimes you need to export the private key for a Windows certificate. By default, certificate signing requests do not allow the private key how to be exported. This document explains how to generate a Certificate Signing Request (CSR) that will allow the private key to be exported. CSRs with exportable keys cannot be generated from the IIS Manager–you must use the Windows certificate manager.
- Log in as an administrator
- From a command prompt or the run menu:
- To create the certificate in the local machine store (recommended):
- Type mmc
- On the File menu, click Add/Remove Snap-in. Click Certificates in the left pane, then click Add.
- Select Computer Account, then click Next.
- Select Local Computer, then click Finish.
- Click OK.
- To the create the certificate in the logged on user's personal store:
- Type certmgr.msc
- In the left pane expand Certificates (Local Computer), expand Personal, then click Certificates.
- On the Action menu, click All Tasks, then click Advanced Operations, then click Create Custom Request.
- Click Next.
- Select Proceed without enrollment policy. Click Next.
- In the Template menu, select (No template) CNG key
- Under Request Format, select PKCS #10. Click Next.
- Click the arrow next to Details to expand the selection. Click Properties.
- On the General tab, provide a Friendly name and Description for the certificate. These can be anything you want.
- On the Subject tab, go to the Subject name box:
- In the Type menu, select Common name