PFXExportCertStoreEx function

The PFXExportCertStoreEx function exports the certificates and, if available, their associated private keys from the referenced certificate store. This function replaces the older PfxExportCertStore function. It should be used for its enhanced private key security. The PFX BLOB created by this function is protected by a password.


BOOL PFXExportCertStoreEx(
  HCERTSTORE      hStore,
  LPCWSTR         szPassword,
  void            *pvPara,
  DWORD           dwFlags



Handle of the certificate store containing the certificates to be exported.


A pointer to a CRYPT_DATA_BLOB structure to contain the PFX packet with the exported certificates and keys. If pPFX->pbData is NULL, the function calculates the number of bytes needed for the encoded BLOB and returns this in pPFX->cbData. When the function is called with pPFX->pbData pointing to an allocated buffer of the needed size, the function copies the encoded bytes into the buffer and updates pPFX->cbData with the encode byte length.


String password used to encrypt and verify the PFX packet. When you have finished using the password, clear the password from memory by calling the SecureZeroMemory function. For more information about protecting passwords, see Handling Passwords.


This parameter must be NULL if the dwFlags parameter does not contain PKCS12_PROTECT_TO_DOMAIN_SIDS. Prior to Windows 8 and Windows Server 2012, therefore, this parameter must be NULL.

Beginning with Windows 8 and Windows Server 2012, if the dwFlags parameter contains PKCS12_PROTECT_TO_DOMAIN_SIDS, you can set the pvPara parameter to point to an NCRYPT_DESCRIPTOR_HANDLE value to identify which Active Directory principal the PFX password will be protected to inside of the PFX BLOB. Currently, the password can be protected to an Active Directory user, computer, or group. For more information about protection descriptors, see NCryptCreateProtectionDescriptor.


Flag values can be set to any combination of the following.

Value Meaning
Private keys are exported as well as the certificates.
If a certificate is encountered that has no associated private key, the function returns FALSE with the last error set to either CRYPT_E_NOT_FOUND or NTE_NO_KEY.
If a certificate is encountered that has a non-exportable private key, the function returns FALSE and the last error set to NTE_BAD_KEY, NTE_BAD_KEY_STATE, or NTE_PERM.
Export all extended properties on the certificate.

Windows Server 2003 and Windows XP:  This value is not supported.

The PFX BLOB contains an embedded password that will be protected to the Active Directory (AD) protection descriptor pointed to by the pvPara parameter. If the szPassword parameter is not NULL or empty, the specified password is protected. If, however, the szPassword parameter is NULL or an empty string, a random forty (40) character password is created and protected.

PFXImportCertStore uses the specified protection descriptor to decrypt the embedded password, whether specified by the user or randomly generated, and then uses the password to decrypt the PFX BLOB.

Windows 8 and Windows Server 2012:  Support for this flag begins.

Return value

Returns TRUE (nonzero) if the function succeeds, and FALSE (zero) if the function fails. For extended error information, call GetLastError.


Beginning with Windows 8 and Windows Server 2012, you can protect the PFX password to an Active Directory user, computer, or group. If you choose to do so but do not create a password, a temporary password will be randomly selected. The password is encrypted by using the Active Directory principal and then embedded in the PFX BLOB. For more information, see the pvPara parameter and the PKCS12_PROTECT_TO_DOMAIN_SIDS flag.


Minimum supported client Windows XP [desktop apps | UWP apps]
Minimum supported server Windows Server 2003 [desktop apps | UWP apps]
Target Platform Windows
Header wincrypt.h
Library Crypt32.lib
DLL Crypt32.dll

See also