WindowsCompatibility icon indicating copy to clipboard operation
WindowsCompatibility copied to clipboard

Published 20 hours ago verified publisher icon PowerShell

Unable to use Export-PFXCertificate one a certificate whose key IS marked exportable

Open scott1138 opened this issue 6 years ago • 9 comments

Installed WindowsCompatibility module and imported PKI module.

Created certificate as follows: $cert = New-SelfSignedCertificate -Subject 'test' -KeyExportPolicy Exportable -CertStoreLocation Cert:\CurrentUser\My

When exporting (and yes $pw is a securestring) I get an error that the key is not exportable: `Export-PfxCertificate -Cert $cert -Password $pw -FilePath c:\temp\test.pfx Cannot export non-exportable private key.

  • CategoryInfo : NotSpecified: (:) [Export-PfxCertificate], Win32Exception
  • FullyQualifiedErrorId : System.ComponentModel.Win32Exception,Microsoft.CertificateServices.Commands.ExportPfxCertificate
  • PSComputerName : localhost `

If I retrieve the cert by thumbprint in PS 5 and then export, it works fine: `$cert = ls 'Cert:\CurrentUser\My\FD5D219C9245E09C4EFA72110E6C03997C3CDC76' Export-PfxCertificate -Cert $cert -Password $pw -FilePath c:\temp\test.pfx

Directory: C:\temp

Mode LastWriteTime Length Name

-a---- 8/21/2019 11:53 AM 2630 test.pfx `

Any help would be appreciated!

scott1138 avatar Aug 21 '19 16:08 scott1138

Still seeing this with PowerShell 7...

wightsci avatar Mar 07 '20 19:03 wightsci

I also see this with PowerShell Core 7.0.0.

gc435 avatar Mar 15 '20 18:03 gc435

Is the issue in Windows PowerShell?

iSazonov avatar Mar 16 '20 04:03 iSazonov

This seems to be a problem with Powershell 7, I get the following results when I run a script that that use Export-PfxCertificate

Powershell Version : 7.0.0 Export-PfxCertificate: Cannot export non-exportable private key.

Powershell Version: 5.1.18362.628 No error and everything is fine.

WeirdSilence avatar Apr 03 '20 19:04 WeirdSilence

Same issue in powershell 7.0.0

huguesBouvier avatar Apr 24 '20 05:04 huguesBouvier

/cc @anmenaga for information

iSazonov avatar Apr 24 '20 05:04 iSazonov

May be related to https://github.com/PowerShell/PowerShell/issues/12081

anmenaga avatar Apr 24 '20 19:04 anmenaga

Original issues was opened in August of last year. Since then we've added builtin WinCompat functionality. It may be worth trying this in a fresh recent version PS Core without using WindowsCompatibility module:

PS C:\> $PSVersionTable.PSVersion

Major  Minor  Patch  PreReleaseLabel BuildLabel
-----  -----  -----  --------------- ----------
7      1      0      preview.1

PS C:\> $cert = New-SelfSignedCertificate -Subject 'mytest' -KeyExportPolicy Exportable -CertStoreLocation Cert:\CurrentUser\My
PS C:\> $cert


   PSParentPath: Microsoft.PowerShell.Security\Certificate::CurrentUser\My

Thumbprint                                Subject              EnhancedKeyUsageList
----------                                -------              --------------------
8ABA70B6FAB7EEB0D6ACED618B2DC77EFF32FF1E  CN=mytest            {Client Authentication, Server Authentication}

PS C:\> Get-Module PKI

ModuleType Version    PreRelease Name                                ExportedCommands
---------- -------    ---------- ----                                ----------------
Script     1.0                   PKI                                 {Add-CertificateEnrollmentPolicyServer, Export-Certificate, Export-PfxCertificate, Get-Ce…

PS C:\>

anmenaga avatar Apr 24 '20 19:04 anmenaga

I get the following results whenI run a script that that use Export-PfxCertificate

Does the script first retrieves the certificate object before exporting it like in PowerShell/PowerShell#12081 ? That would explain the error.

anmenaga avatar Apr 24 '20 19:04 anmenaga