Marking private keys as non-exportable with certutil -importpfx

When importing a PFX-file with the certificate import wizard, you can choose if the private key should be exportable or not. Your choice is stored in the key storage property identifier that is key-storage specific. In other words, there is no information in the certificate about the exportability of the related private key. It is possible that if you import the same PFX-file into different computers that the private key is maked as exportable on one computer and is not marked as exportable on another.

To perform a PFX-file import at a command-line you may be familiar with the certutil -importPFX command. Since Windows Server 2003 SP1, certutil understands extra arguments to improve the PFX import.

Here is the abstract syntax:

certutil -importPFX {PFXfile} [NoExport|NoCert|AT_SIGNATURE|AT_KEYEXCHANGE]

To make the private key non-exportable, use the following command:

certutil -importPFX [PFXfile] NoExport

To just install the private key but not the certificate, use the NoCert argument. It can be combined with the NoExport argument.

certutil -importPFX [PFXfile] NoCert

There are two more arguments forcing AT_SIGNATURE or AT_KEYEXCHANGE. Both cannot be used in combination and may require a conversion to a RSA key.

certutil -importPFX [PFXfile] AT_SIGNATURE

certutil -importPFX [PFXfile] AT_KEYEXCHANGE

To combine multiple modifiers with one command, all modifiers must appear comma seperated as a single common line parameter. For example:

certutil -importPFX [PFXfile] "NoExport,AT_KEYEXCHANGE"