Export an RSA private key from the Windows Certificate Store

Exporting an RSA private key from the Windows Certificate Store can be essential for various administrative and security tasks, especially in environments where OpenSSL is not available. This guide aims to provide a clear, step-by-step process for exporting an RSA private key from a machine running Windows. It is important to note that for this procedure to be successful, the certificate in question must have been imported into the Windows Certificate Store with the "Mark the private key as exportable" option enabled. Following this guide will ensure that you can securely and efficiently manage your cryptographic keys without the need for additional software. 

But before diving into the process, please note that this guide will require you to have local administrator rights on the machine.  

 

After confirming this, follow the next steps: 

Steps to export an RSA private key from the Windows Certificate Store

 

Step 1: Open an elevated PowerShell command prompt 

Step 2: Retrieve the thumbprint of the certificate that you wish to export with the following command. Example if the certificate is in your personal machine certificate store: 

dir cert:\LocalMachine\My 

 

Step 3: Create a certificate object in the PowerShell prompt based on the thumbprint of your certificate with the following command: 

$cert = Get-ChildItem Cert:\LocalMachine\My | ? {$_.Thumbprint -eq '<THUMBPRINT_OF_CERTIFICATE_FROM_STEP_2>'} 

Step 4: Read the RSA private key in an RSA CNG object: 

$RSACng = [System.Security.Cryptography.X509Certificates.RSACertificateExtensions]::GetRSAPrivateKey($cert) 

 

Step 5: Read the bytes from the private key: 

$KeyBytes = $RSACng.Key.Export([System.Security.Cryptography.CngKeyBlobFormat]::Pkcs8PrivateBlob)

Step 6: Encode the key bytes in Base64 format: 

$KeyBase64 = [System.Convert]::ToBase64String($KeyBytes, [System.Base64FormattingOptions]::InsertLineBreaks) 

Step 7: Display the private key in PEM format in the PowerShell command prompt: 

$KeyPem = @"  -----BEGIN PRIVATE KEY-----   $KeyBase64   -----END PRIVATE KEY-----   "@   $KeyPem 

 

Conclusion

Successfully exporting an RSA private key from the Windows certificate store is a crucial skill for system administrators and security professionals who need to manage cryptographic keys without relying on external tools such as OpenSSL. By ensuring that the certificate was initially imported with the “Mark private key as exportable” option enabled, you can follow a streamlined process to securely retrieve the private key. This capability not only increases your flexibility in key management, but also reinforces the importance of proper certificate management and configuration from the start. With this guide, you now have the knowledge you need to confidently export RSA private keys when necessary, maintaining the integrity and security of your cryptographic infrastructure.