Marking private keys as non-exportable with certutil -importpfx

When importing a PFX-file with the certificate import wizard, you can choose if the private key should be exportable or not. Your choice is stored in the key storage property identifier that is key-storage specific. In other words, there is no information in the certificate about the exportability of the related private key. It is possible that if you import the same PFX-file into different computers that the private key is maked as exportable on one computer and is not marked as exportable on another.

To perform a PFX-file import at a command-line you may be familiar with the certutil -importPFX command. Since Windows Server 2003 SP1, certutil understands extra arguments to improve the PFX import.

Here is the abstract syntax:

certutil -importPFX {PFXfile} [NoExport|NoCert|AT_SIGNATURE|AT_KEYEXCHANGE]

To make the private key non-exportable, use the following command:

certutil -importPFX [PFXfile] NoExport

To just install the private key but not the certificate, use the NoCert argument. It can be combined with the NoExport argument.

certutil -importPFX [PFXfile] NoCert

There are two more arguments forcing AT_SIGNATURE or AT_KEYEXCHANGE. Both cannot be used in combination and may require a conversion to a RSA key.

certutil -importPFX [PFXfile] AT_SIGNATURE

certutil -importPFX [PFXfile] AT_KEYEXCHANGE

To combine multiple modifiers with one command, all modifiers must appear comma seperated as a single common line parameter. For example:

certutil -importPFX [PFXfile] "NoExport,AT_KEYEXCHANGE"

Comments (8)
  1. try certutil -user -p "Password" -importpfx "C:PFXFILENAME.pfx"

  2. Anonymous says:

    There is a new version of mimikatz that also support CNG export 🙂 (windows vista / seven / 2008 …)

    1. download (and launch with administrative privileges) : (trunk version for last version)

    2. privilege::debug (or not if you're already system)

    3. crypto::patchcng (nt 6) and/or crypto::patchcapi (nt 5 & 6)

    4. crypto::exportCertificates and/or crypto::exportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE

    pfx files are passwords protected "mimikatz"


  3. Anonymous says:

    As noted in this article Visual Studio 2005 cannot handle PKCS#12 files that hold several certificates

  4. Anonymous says:

    Through a recent migration we needed to move a large number of SSL certificates. After spending a lot

  5. Anonymous says:

    Private keys are exportable with Microsoft CSP, even with "NoExport" options or others GUI checkbox…

    Tools like mimikatz ( ) or JailBreak ( ) export "non exportable" keys

    mimikatz can also export without GUI medium protected certificates/keys… and orphan keys…ho.. yes, by the way… Windows does not delete private key when we ask for delete a certificate with its private key…

    Don’t count on "non exportable" keys for security purpose ! (HSM ?)

  6. Amit Thaker says:

    Hi there,

    I am trying to use NoExport command through command line using Certutil.exe but it is not working. Note: this is command is part of a bigger solution but I m currently testing the concept manually.

    My Command,

    C:>Certutil.exe -p "Password" -importpfx -user "C:PFXFILENAME.pfx (works fine) but when I add NoExport at the end of the command it throws up error message "Expected no more than 1 args, received 2"

    I would appreciate your help.

    1. Pale_Cheung says:

      ” -user ” should appear before “-importpfx”.

  7. @Gentil Kiwi says:

    > (blah blah blah, Windows has no security…)
    > …
    > launch with administrative privileges

    So – in other words, to pwn the machine, you need to… pwn the machine ALREADY? 😀

Comments are closed.

Skip to main content