Export Non-exportable Certificate Keys from store

I found myself needing to move a certificate from our old Exchange 2003 server to our new Exchange 2010 Hub server and found that the particular certificate was showing that the private key was not exportable.  Hmmmm, that created a slight issue.  Off to do some research and I found a tool that was able to accomplish the task.

Mimikatz is a pretty handy tool, though a little lacking in English documentation.  A short download later and I was off to the races.

It comes with versions for Win32 and x64, just run the 'mimikatz.exe' in the appropriate folder with administrative privileges.  When it opens you're presented with a command type window into which you enter...

  • privilege::debug
  • for XP/2003 enter crypto::patchcapi
  • for Win7/2008 enter crypto::patchcng
  • crypto::exportCertificates

Screen capture of Mimikatz Export Certificate Keys

An export of the systems certificates will be saved to the folder you ran the executable from in both DER and PFX certificate formats, the PFX files will have 'mimikatz' as the password.  You can now happily take the certificate you need to the system you need it on and import it to the correct store.

I've heard that it works for Win8 as well, but haven't tried it.  The tool has some other less desirable features (at least less desirable if you're concerned about system security),  a web search will bring up a number of posts but at least you need administrative privileges to run it.  If you find yourself needing to Export Non-exportable Certificate Keys you should check Mimikatz out.