We help IT Professionals succeed at work.

Export Certificate with private key

Hi Experts,

Windows Server 2008 R2 Certificate Authority
device: LANTIME M200

I need to install certificate on LANTIME(NTP) device. Device requires a certificate containing private key. This certificate must be in PEM file format.

I have created a duplicate template from existing webserver template with "Allow private key to export" option in the CA. The issue is requesting a certificate with a private key,  I tried requesting using http://aba/certsrv, and it issues me only on two format .DER or Base 64 encoded.  When I try to export from with the CA, I don't get an option " yes, export the private key"  and on the export file format " Personal Information Exchange - PKCS#12(.PFX)" is greyed out".

Please let me know what am doing wrong. I would appreciate if you could provide me the instructions to properly request or export a certificate with private key .

Watch Question

Try this:

Create an INF file based on the information below:

;----------------- request.inf -----------------

Signature= $Windows NT$


Subject = "CN=FQDN of server, OU=IT dep, O=Firstpoint-LAB, L=Bergen, S=Hordaland, C=NO" ;replace with your info
KeyLength = 2048
Exportable = TRUE
FriendlyName = LANTIME-CERT
MachineKeySet = TRUE
ProviderName = Microsoft RSA SChannel Cryptographic Provider
ProviderType = 12
RequestType = PKCS10
KeyUsage = 0xa0


OID= ; this is for Server Authentication


; SAN= dns=FQDN_you_require&dns=other_FQDN_you_require

Save .inf file as c:\request.inf
Open CMD as administrator and run following command

certreq -new c:\request.inf c:\request.req

certreq -submit "certificateTemplate:YOURTEMPLATENAME" c:\request.req

Then you'll be able to save a .cer file
certreq -accept certificate.cer

then go to MMC and export the certificate.

Then you probably need to download openSSL and convert pfx to pem
MASEE Solution Guide - Technical Dept Head
Most Valuable Expert 2017

Use any 3rd party free software to convert .cer, .pfx or .crt to PEM.

I used digicert tool but it was a certifiacte from Digicert. Not sure it will work in your case.
But you can try other softwares to do the same.


Thanks Jacob and Mas. Will try today and post the result.
btanExec Consultant
Distinguished Expert 2019
May want to consider generate onboard the device though it is likely self-signed

For a private key to be exportable, it is only when it is specified in the certificate request or certificate template that was used to create the certificate. he

Instead, I suggest you have Openssl installed,
- create the certificate request and private key
- send certreq to your CA
- convert the issued certificate to PEM format using Openssl,
- merge the issued certificate and private key into Pkcs12 format
- convert the Pkcs12 key pair into a PEM keypair for importing into your NTP web server

Check out this sample steps in http://support.citrix.com/article/CTX128656 though it refer to other but the steps are the same but just change the subject in certreq accordingly to your web server hostname and domain (e.g. CN=<MYSERVER-HOSTNAME>.<MYDOMAIN>
btanExec Consultant
Distinguished Expert 2019

Check out the template FAQ if that is of interest
The private key cannot be exported from smart card certificates, even when Allow private key to be exported is selected in the certificate template.
Cause: Smart cards do not allow private keys to be exported once they are written to the smart card.

Solution: None

The certificate template is modified, but some certification authorities (CAs) still have the unmodified version.
Cause: Certificate templates are replicated between CAs with the Active Directory replication process. Because this replication is not instantaneous, there may be a short delay before the new version of the template is available on all CAs.

Solution: Wait until the modified template is replicated to all CAs. To display the certificate templates that are available on the CA, use the Certutil.exe command-line tool.


btan, this is not a smart card certificate.
Rich WeisslerProfessional Troublemaker^h^h^h^h^hshooter
Good morning Deorali,
  With what you are describing, it sounds like the private key isn't available where you are attempting to export the certificate.  Please bear with me, because if I'm interpreting your situation correctly, I've gone through a similar situation in the past.
  When you use the web enrollment tool, are you pasting in a certificate request block?  (Usually something that is often written to a CSR file.)  That is just the public key for the certificate, which you are providing to the CA so that it can sign it.  What you are getting back as a DER or Base64 file is the same public key... now signed by the CA.
  When you tell the CA, you want the certificate's private key to be exportable, the CA doesn't usually have that private key (this is what confused me for a long time), but the certificate will be marked such that the private key will be exportable when it is married back with it's private key.  (It's possible to get the CA to store the private keys for specific templates... but in post cases, that's the exception rather than the rule.)
  Now... I think you need to find that private key.  If you did generate the CSR, you should be able to import the DER or Base64 file into that program... and THEN export the certificate with the private key included.

  I have instructions I wrote up for myself a couple months ago, and posted as an article on generating certificates from a windows CA... but I didn't use the web enrollment tool.  (There isn't anything wrong with the web enrollment tool, but it can be a little cumbersome.)  If you use the article, it would require using the command line instead, but it's geared towards using your own template... One you have the certificate made, if it were relatively few certificates, I'd be tempted to open up the MMC, add the snap-in for certificates, point to either the user context or local machine context depending on whether you specified a machine certificate, drill down to the Personal certificates and export from there.  But that's because it's the tool with which I'm most familiar.
btanExec Consultant
Distinguished Expert 2019

I understand, but as in FAQ and also in the administering of template link, the template required the Archive setting (under the "Request Handing" tab) to be enabled for the export private key to enabled, see
The certificate purpose setting will determine whether key archival can be enabled for a certificate template. Key archival is only possible if the certificate purpose is set to Encryption or Signature and encryption. The recovery of a private key for digitally signing information may result in identity theft and is not supported. Key archival is not supported by most smart card CSPs.
there is for the Win2K8 section and also note this

Re-enroll Certificate Holders

If you make modifications to a certificate template that you want implemented immediately for all existing certificate holders, you can force re-enrollment.
To force re-enrollment

Open the Certificate Templates snap-in.
In the details pane, right-click the certificate template that you want to re-enroll for all certificate holders, and then click Reenroll all Certificate Holders.

interesting I saw this "trick" but it stated for Win2K3 ... for interest

did try to create a new request and enroll for certificate?

@Rich Weissler is correct.
The private key is never stored on the CA - and the private key should NEVER leave the object that owns the certificate (the NAS box for your part). (always exceptions to those rules, but i most cases) Remember that private key is the one used to decrypt secured packages.
If you create the request on CA server, and import the cert there - this is where the private key is located.
if you create request on LANTIME, this is where private key is located ---
btanExec Consultant
Distinguished Expert 2019

either you go for
- self -signed  (in device), OR
- create certreq and have CA issued key/cert  (as shared) OR
- generate a new cert using existing tmpl in CA (as shared)

If you using the tmpl, that is the restriction stated in the links. Private keys goes with the location it is first created and thereafter exportable (self signed can have it exported but that is not the use case here. Do also ensure NTP device allow import into the PEM (private key) too..


Thank you all for your inputs.

Following post helped to resolve the issue.