Microsoft CA PKI

How to export “non-exportable” certificates from the Microsoft Certificate Store

Recently I found a tool that allows you to search and export certificates from the Microsoft certificate store that are marked as non-exportable. Although this program can be considered a hack-tool and might not work after Microsoft has released a patch for it, it is still a very powerful tool.

The program that allows you to do this is called mimikatz and is available for download using the link below:

Apart from exporting certificates, this tool can do a lot more interesting stuff such as dumping windows logon passwords in clear texts, inject programs or services and edit GPO settings. Some of these functions will be discussed in other articles but for now, let export some certificates. To do so follow the steps below:

  • Check you have a certificate in your personal user or computer store that is marked as not exportable:

check nonexportable

  • Download and unpack the mimikatz tool using the link mentioned earlier
  • Open a command prompt and browse to the directory where you have unpacked mimikatz and start the 32bit or 64 bit version
  • Run the following command to list the certificates in your certificate stores:



  • Check that the certificate you have identified in step 1 is listed and that the .pfx output shows KO. This is to verify that the certificate is indeed not exportable (yet).
  • To change the .pfx status you must apply the priviledge::debug command and run the CAPI & CNG patches . You do this by executing the following commands:




Raise prviledges patch capi


  • Now run the Crypto::exportCertificates command again and check that the .pfx status shown earlier has changed to OK


  • Finally you only need to browse to the directory where you are running the mimikatz tool from and check it has exported a .pfx file with the name of the certificate you have identified during step 1.


  • Now you are able to copy the .pfx file to another machine and install it. Make note that the .pfx files are protected with mimikatz as password

Import pfx