I'm in the process of trying to change the KeySpec property of a code signing certificate from Comodo by following this guide. The guide mentions importing your certificate file into MMC and then exporting it again later. However, I don't seem to have the option to export as a PFX file. I already have a PFX file; I can import it successfully, but when I go to export the option is greyed out / disabled.
What do I need to do to enable this export option?
The Certificates snap-in really doesn't like to export PFX certificates, but PowerShell is happy to. You can use the Export-PfxCertificate cmdlet.
cd cert:\ at the PowerShell prompt.cd CurrentUser or cd LocalMachine as appropriate for where the certificate is. You may need to launch PowerShell as admin to export a machine certificate.cd into the appropriate store (a dir may help). The Personal store in MMC is called My here.dir to identify which ID corresponds to the certificate you want.Type this command to export it as a PFX with a password:
Export-PfxCertificate -Cert .\LONGSTRINGOFHEX -FilePath 'C:\path\to\outfile.pfx' -Password (ConvertTo-SecureString -String 'password' -AsPlainText -Force)
LONGSTRINGOFHEX should be replaced with your certificate's ID. Fortunately, you can use tab completion on that.
Once that command executes, you have a PFX certificate protected with the password you supplied. PowerShell refuses to export the certificate's private key without a password, and the password can't be blank. Nevertheless, your PFX is out.
My problem was that I had created the CSR file on one machine and then tried to create the pfx file on another (Windows 10 had done an update overnight and locked me out of the first machine). Both the CSR and the pfx file need to be created on the same machine.
If you import a cert into the WebHosting store, you can't export the private key. Move it to Personal store, and you will be able to export as PFX. I was able to do this in Windows 2012R2 without having to go to the command line and use Export-PfxCertificate (which is a pain as I couldn't figure out the certificate's ID to save my life).
Export the .P7B file once. And then go back and try exporting the certificate again. The .PFX export get enabled the next time.
