in my previous question I showed the script to create certificates - and after fixing the file with the server names, it works fine.
Now I also want to automatically export the certificates.
But I am running into the error Export-PfxCertificate : Cannot export non-exportable private key
does anyone have an idea WHY I get this error (it is exportable) and how to fix it ???
ODD: I can manually export the certificate (that fails with the above error) fine (in MMC Certificates).
I am running powershell with my adminaccount - disabled UAC - it finds the certificates.... but the export fails -and I run MMC also with that same account
ODD too: when I am creating the certificates manually via the website, and then use my script running with my adminaccount, it will successfully export the certificate !!
Soo... I think it has something to do with how I create my certificate. I compared one that i created manually against a certificate created by the script, and I did not find any differences that might explain it. the only difference is, that when I create certificates via the website, the certificates are imported in Current User\Personal.
using the script, they are added to Local Computer\Personal - but manual export works, so I don't think that is the cause.

this is how they show under Local Computer - Personal
when I create the certificates, I am using these lines:
[NewRequest]
Subject = "E=$E,CN=$CN,C=$c, S=$s, L=$l, O=$o, OU=$OU"
MachineKeySet = TRUE
UseExistingKeySet = False
KeyLength = 2048
KeySpec=1
Exportable = TRUE
RequestType = PKCS10
ProviderName = "Microsoft Enhanced Cryptographic Provider v1.0"
FriendlyName = "$FriendlyName"
[RequestAttributes]
CertificateTemplate = "$TemplateName
I have seen some articles about this, but I have not been able to figure out the solution...
here is the export script, I have tried in 2 ways to export the certificate
like this: Export-PfxCertificate -Cert $cert -FilePath $outname -Password $mypwd -ChainOption EndEntityCertOnly -NoProperties -Verbose
and then commented it out, and added the other method below - but both give the same result
$outpath = "C:\Certificates"
$servers = get-content "C:\Certificates\servers.txt"
$server1 = @()
#create an array with the servers which I want to export
foreach ($S in $servers)
{
if ($S.IndexOf(".") -gt 1)
{$server1 += $S.Substring(0,$S.IndexOf("."))}
else
{$server1 += $S}
}
$mypwd = ConvertTo-SecureString -String "P@ssw0rd" -Force -AsPlainText
$certs = Get-ChildItem -Path cert:\LocalMachine\my #currentuser LocalMachine
foreach ($cert in $certs)
{
if ($cert.Issuer -eq "CN=Managed CA, DC=Domain, DC=com" -and $cert.FriendlyName -in $server1)
{
$name = $cert.DnsNameList.UniCode
$CertFileName = $cert.FriendlyName
$outname = $outpath + "\" + $CertFileName + ".pfx"
#Export-PfxCertificate -Cert $cert -FilePath $outname -Password $mypwd -ChainOption EndEntityCertOnly -NoProperties -Verbose
Get-ChildItem -Path ("Cert:\LocalMachine\my\" + $cert.Thumbprint)|Export-PfxCertificate -FilePath $outname -Password $mypwd -ChainOption EndEntityCertOnly -NoProperties
$contd = read-host ("do you want to delete: " + $cert.FriendlyName + " - " + $cert.Subject)
if ($contd -match 'y')
{
$path = "Cert:\LocalMachine\my\" + $cert.Thumbprint
Get-ChildItem $path | Remove-Item -Force
}
}
}
here the same certificate - but now manually exporting 

