How To Export A Private Key File From A Windows Machine?

Time needed: 15 minutes.

How To Export a Private Key File from a Windows Machine?

1. Create a CSR

   1. Open MMC console:
   Win + R > mmc > Ok > File > Add/Remove Snap-in > Certificates > Add > Computer account > local computer > Finish > Ok.

   2. Create a CSR file:
   right-click the Personal folder > All Tasks > Advanced Operations > Create Custom Request > Next > Proceed without enrollment policy > Click Next > PKCS # 10 > Next > Details > Properties.

   3. Add CSR contents:
   Subject tab > Fill Subject name

   Common Name (CN) = Host or domain name
   DNS (SAN) =
   Organization (O) =
   Organizational Unit (OU) =
   City/Locality (L) =
   State/County/Region (S) =
   Country (C) =
   Email Address =

   Private Key tab > Key options > select Key size: 2048 > Ok

   4. Save the CSR file:
   Select Base 64 and Click Next > Click Browse.

   Please visit this post to see how to create a CSR on a Windows machine.

   

2. Submit the CSR to a CA and get the Certificate

   Submit the CSR to your Certificate Authority (CA) or you can also submit it to third party CA to sign the certificate.

   If you have Microsoft’s ADCS CA service and want to sign the CSR with your internal CA. Please read how to submit and download the certificate from ADCS.

3. Import the Certificate on your Windows machine

   After CA has issued the certificate. You should download that and import it along with the chain certificates.
   Note: If you don’t have the chain certificates imported to trusted stores, please import chain certificates (intermediate & root CA certificates) on your machine.

   Right Click on the Certificate > Install Certificate > Next > Automatically select the certificate store > Finish > Ok

   

4. Export the certificate in PFX format

   This is the place where the export of the private key happens. Windows doesn’t store the private key in a separate file. you can’t export the private key alone. If you need to export the private key from either MMC or IIS, you should export the certificate in .pfx (PKCS#12) file format along with the private key.

   1. Open MMC console:
   Win + R > mmc > Ok > File > Add/Remove Snap-in > Certificates > Add > Computer account > local computer > Finish > Ok.

   2. Export the certificate in PFX:
   Right Click on the Certificate > All Tasks -> Export > Next > yes, export the private key > Next > Personal INformation Exchange – PKCS # 12 (PFX) > Include all certificate in the path > Next > Passwords > Browse > Finish.

   

5. Install OpenSSL on your Windows machine.

   OpenSSL is a powerful full cross-platform open-source utility used in various digital certificate activities. The installation procedure is very simple and straight. Read this post to know how to install OpenSSL on the Windows machine.

   1. Download the OpenSSL installer from the official OpenSSL download link: https://slproweb.com/products/Win32OpenSSL.html

   2. Run the installer to complete the installation.

   3. Add OPENSSL_CONF and Path environment variable on System Properties:

   

6. Export the private key file from the PFX certificate.

   Run this command to extract the private key from PFX file:
   > openssl pkcs12 -in [yourfile.pfx] -nocerts -out [drlive.key]

   Run this command to extract the certificate from PFX file:
   > openssl pkcs12 -in [yourfile.pfx] -clcerts -nokeys -out [drlive.crt]

   Run this command to decrypt the private key:
   > openssl rsa -in [drlive.key] -out [drlive-decrypted.key]