Exporting Certificates and Private Keys

When you right-click a certificate and then click All Tasks and Import , or when you click Copy to File in the Certificate Details dialog box, the Certificate Export wizard appears. You can use the Certificate Export wizard to export the selected certificate to a file and to optionally export the private key if enabled to do so. If the private key is exported, the key is stored in a password protected encrypted file format. You must specify a password that is then used to lock and unlock the exported key. You cannot access the exported private key again without the password.

Of course, because password protection provides relatively weak protection, someone who has access to an exported private key can launch a brute force or dictionary attack and decode the encryption scheme in a relatively short period of time. Therefore, to avoid the compromise of private keys, you must carefully control the export of private keys and provide adequate security for any medium that contains exported private keys.


Private keys that are used for digital signing must never be exported or stored in a file or an archive. Someone other than the legitimate key owner might be able to gain access to the duplicate and impersonate the owner. If a copy of a signing key exists, the authentication integrity, or nonrepudiation provided by the key is compromised. Therefore, Windows 2000 does not permit the export of private keys that are used for signing.

For standard Windows 2000 Certificate Services certificates, private key export is enabled only for EFS user certificates and recovery agent certificates. Key export is enabled for EFS certificates, so that you can maintain a key recovery archive. The export of private keys is enabled by an attribute that is included in the certificate when it is created. When you use the Advanced Certificate Request Web pages, you have the option of enabling private key export for custom certificates that you issue for key exchange purposes only. You cannot use the Advanced Certificate Request Web pages to enable private key export for custom certificates that are used for the purpose of both key exchange and signatures.

You must enable the export of private keys only for keys that are used to store long-term (persistent) data, such as encrypted files on your hard disk. For example, if you issue secure mail certificates that have the purpose of confidential mail only (not signing mail), you might want to enable key export so that you can archive the keys securely for recovery purposes. If so, you also need to issue secure mail certificates that are used for signing mail only and that have private key export disabled.