How to create a Private-Key exportable self-signed certificate?

Question

I've tried the below template which creates the certificate and installs it in the localmachine Personal certificate store:

makecert -sk <<UniqueKeyName>> -iv RootCATest.pvk -n "CN=<<MachineName>>" -ic RootCATest.cer -sr localmachine -ss my -sky exchange -pe 

RootCATest.pvk is the private key of the root CA certificate. RootCATest.cer is the public key of the root CA certificate (used for issuing certificates).

When I view it from the MMC and right click on it, properties -> export, then its private key export option is grayed out.

How to create a Private-Key exportable self-signed certificate?

Answer 1

Option 1

Just googled this and the most direct way is to use the "-pe" option for makecert.exe. Here is the documentation:

Certificate Creation Tool

(A distant) Option 2

If you wanted to spend a whole bunch of time on it and don't mind it being self-certified, I'd recommend using OpenSSL. There are only a few steps:

1. Download the source and build openssl.exe or get a pre-compiled copy (link).

2. Create a self-signed cert in PEM format. Open a DOS prompt in the folder containing openssl.exe and openssl.cnf. The command below creates one that's good for roughly 10 years:

   openssl req -x509 -days 3650 -newkey rsa:2048 -keyout mycert.pem -out mycert.pem -config ./openssl.cnf

3. Convert the PEM to a PFX:

   openssl.exe pkcs12 -export -in mycert.pem -out mycert.pfx

4. Double-click the PFX to import it and be sure to check the "Mark this key as exportable" box on the same dialog where you enter the password for the PFX.