This guide applies to SSL/TLS certificates as well as code signing certificates which were issued prior to the 1st of June 2023 and were originally imported into the Windows Certificate Store.
If your code signing certificate was issued on or after the 1st of June 2023 or was originally installed to a secure storage device, such as a USB token or Hardware Security Module (HSM), then it will not be possible to export the certificate as a PFX. For more information on private key storage requirements for code signing certificates, please refer to the following article: New private key storage requirement for Code Signing certificates
|
How do I export a .pfx file using MMC?
In some instances, you may want to move a certificate from one server to another. You may also want to back up the certificate that you have installed. The best way to do this is to create a .pfx file. A .pfx (may also be called a .p12 file) is a file that contains both your public and private keys. There are two main methods to export this file from your currently installed SSL certificate. This guide explains one of these methods.
This guide has two parts. Part I assumes that you do not have the certificate snap in configured for MMC. If you already have the certificate snap in, then you can skip to Part II.
Part I
- From the Web server, click Start and then on Run
- In the text box, type mmc and click OK
- From the MMC menu bar, select Console (in IIS 5.0) or File (in IIS 6.0) and Add/Remove Snap-in then click Add
- From the list of snap-ins, select Certificates and click Add
- Select Computer account and click Next.
Note: If the certificate that you want to export is an end user certificate, you must select My User Account instead of Computer account.
- If you selected the Computer account, then on the next screen, select Local computer (the computer this console is running on) and click Finish.
- In the snap-in list window, click Close.
- In the Add/Remove Snap-in window, click OK.
Part II
Once you have the MMC certificate snap in configured, you should be able to view all certificates that are installed on either the computer account (mainly the case for servers) or the user account (the case for the individual user logged in).
Note: In order to do this, you must contain both public and private key to the certificate that you want to export.
- In the left hand pane, click on and expand the Personal folder. Underneath it, click on certificates.
- Right-click the certificate you want to export to .pfx file.
- From the drop down, click on All Tasks and then Export.
- You will see the Certificate Export Wizard. Click on Next.
- At the next screen, choose "Yes, export the private key". Click on Next.
Note: If yes is greyed out, this could mean that your private key cannot be found or that the private key was marked as non-exportable when it was originally created. This will prevent you from generating a .pfx file.
- At the next step, Personal Information Exchange - PKCS #12 (.PFX) is selected by default.
- Click on "Include all certificates in the certification path if possible" if you would like to include the chaining certificates (suitable if you are reinstalling this certificate onto another Microsoft system)
- Click on "Enable strong protection (requires IE 5.0, NT 4.0 SP4 or above)" so that you can set a password for more security.
- You may want to click on Delete the private key if the export is successful if you do not want multiple copies of this certificate. Click on Next.
Note: Selecting this option will render the certificate unusable on this server. If the certificate is securing a production website, you may not want to do this.
- At the next screen, type in a password to protect the file. Retype same password. After you have done that, click on Next.
- On the following screen, you should click on the browse button and select a location where you would like to save the .pfx file. Also provide it with a file name. Click on Next.
- You will reach the Summary screen.Click on Finish.
You have successfully created a .pfx file.