PFXExportCertStoreEx function (wincrypt.h)

The PFXExportCertStoreEx function exports the certificates and, if available, their associated private keys from the referenced certificate store. This function replaces the older PfxExportCertStore function. It should be used for its enhanced private key security. The PFX BLOB created by this function is protected by a password.


BOOL PFXExportCertStoreEx(
  [in]      HCERTSTORE      hStore,
  [in, out] CRYPT_DATA_BLOB *pPFX,
  [in]      LPCWSTR         szPassword,
  [in]      void            *pvPara,
  [in]      DWORD           dwFlags


[in] hStore

Handle of the certificate store containing the certificates to be exported.

[in, out] pPFX

A pointer to a CRYPT_DATA_BLOB structure to contain the PFX packet with the exported certificates and keys. If pPFX->pbData is NULL, the function calculates the number of bytes needed for the encoded BLOB and returns this in pPFX->cbData. When the function is called with pPFX->pbData pointing to an allocated buffer of the needed size, the function copies the encoded bytes into the buffer and updates pPFX->cbData with the encode byte length.

[in] szPassword

String password used to encrypt and verify the PFX packet. When you have finished using the password, clear the password from memory by calling the SecureZeroMemory function. For more information about protecting passwords, see Handling Passwords.

[in] pvPara

This parameter must be NULL if the dwFlags parameter does not contain PKCS12_PROTECT_TO_DOMAIN_SIDS or PKCS12_EXPORT_PBES2_PARAMS. Prior to Windows 8 and Windows Server 2012, therefore, this parameter must be NULL.

Beginning with Windows 8 and Windows Server 2012, if the dwFlags parameter contains PKCS12_PROTECT_TO_DOMAIN_SIDS, you can set the pvPara parameter to point to an NCRYPT_DESCRIPTOR_HANDLE value to identify which Active Directory principal the PFX password will be protected to inside of the PFX BLOB. Currently, the password can be protected to an Active Directory user, computer, or group. For more information about protection descriptors, see NCryptCreateProtectionDescriptor.

Beginning with Windows 10 1709 (Fall Creators update) and Windows Server 2019, if the dwFlags parameter contains PKCS12_EXPORT_PBES2_PARAMS, you should set the pvPara to an PKCS12_EXPORT_PBES2_PARAMS value to select the password-based encryption algorithm to use.

[in] dwFlags

Flag values can be set to any combination of the following.

Value Meaning
Private keys are exported as well as the certificates.
If a certificate is encountered that has no associated private key, the function returns FALSE with the last error set to either CRYPT_E_NOT_FOUND or NTE_NO_KEY.
If a certificate is encountered that has a non-exportable private key, the function returns FALSE and the last error set to NTE_BAD_KEY, NTE_BAD_KEY_STATE, or NTE_PERM.
Export all extended properties on the certificate.

Windows Server 2003 and Windows XP:  This value is not supported.

The PFX BLOB contains an embedded password that will be protected to the Active Directory (AD) protection descriptor pointed to by the pvPara parameter. If the szPassword parameter is not NULL or empty, the specified password is protected. If, however, the szPassword parameter is NULL or an empty string, a random forty (40) character password is created and protected.

PFXImportCertStore uses the specified protection descriptor to decrypt the embedded password, whether specified by the user or randomly generated, and then uses the password to decrypt the PFX BLOB.

Windows 8 and Windows Server 2012:  Support for this flag begins.

Export using the passowrd-based encryption algorithm specified by the PKCS12_EXPORT_PBES2_PARAMS value passed as pvPara.

Windows 10 1709 (Fall Creators update) and Windows Server 2019:  Support for this flag begins.

Return value

Returns TRUE (nonzero) if the function succeeds, and FALSE (zero) if the function fails. For extended error information, call GetLastError.


Beginning with Windows 8 and Windows Server 2012, you can protect the PFX password to an Active Directory user, computer, or group. If you choose to do so but do not create a password, a temporary password will be randomly selected. The password is encrypted by using the Active Directory principal and then embedded in the PFX BLOB. For more information, see the pvPara parameter and the PKCS12_PROTECT_TO_DOMAIN_SIDS flag.

Beginning with Windows 10 1709 (Fall Creators update) and Windows Server 2019, you can control the number of iterations of the hash function over the password done by the PFXExportCertStoreEx function using the following registry key. The value in this key is of type REG_DWORD.



Requirement Value
Minimum supported client Windows XP [desktop apps | UWP apps]
Minimum supported server Windows Server 2003 [desktop apps | UWP apps]
Target Platform Windows
Header wincrypt.h
Library Crypt32.lib
DLL Crypt32.dll

See also