Exporting Windows Certificate

If you are using Windows to manage your certificates, it is possible to extract this certificate as public and private key pair to use it with other services like deviceWISE. This section explains on extracting the Windows certificate using the Windows Certificate Manager (certmgr.msc). To view and export the certificate, do the following:

  1. Open the Windows Certificate Manager.
    1. In the Start menu, type certmgr.msc.

      The certmgr.msc appears.
    2. Click certmgr.msc
  2. Find the certificate you want to export (For example: example.com)
  3. To export the public key, do the following:
    1. Right-click on example.com and click All Tasks >> Export

      Certificate Export Wizard appears.
    2. Click Next.
    3. Select Base-64 encoded X.509 (.CER)
    4. Click Next
    5. Enter a File name for your certificate.
    6. Browse to select a location for your certificate.
    7. Click Next.
      Completing the Certificate Export Wizard screen appears.
    8. Click Finish.

      A confirmation screen appears, acknowledging the export.
  4. To export the private key, do the following:
    1. Right-click on example.com and click All Tasks >> Export

      Certificate Export Wizard appears.
    2. Click Next.
    3. Select Personal Information Exchange - PKCS #12(.PFX) and do not change the default selections.
    4. Click Next
    5. Enter a File name for your certificate. For example:server.pfx
    6. Browse to select a location for your certificate.
    7. Click Next.
      Completing the Certificate Export Wizard screen appears.
    8. Click Finish.
      A confirmation screen appears, acknowledging the export.
  5. To convert the PFX file to a private key, do one of the following:
    1. Using Command Prompt
      1. Open the command prompt (ensure openssl is in your PATH).
      2. Extract the private key from the encoded PFX file server.pfx.
        openssl pkcs12 -in server.pfx -nocerts -nodes -out key.pem
      3. Remove the password from the private key key.pem.
        openssl rsa -in key.pem -out server.key

        The resulting file is your private key.

    2. Using Powershell
      1. Use the following script:
        $certSubject = Read-Host -Prompt 'Cert Subject'
$certificate = Get-ChildItem -Path Cert:\LocalMachine\My\ | Where-Object {$_.Subject -match $certSubject}
$password= "@OurPassword1" | ConvertTo-SecureString -AsPlainText -Force
Export-PfxCertificate -Cert $certificate -FilePath tempcert.pfx -Password $password
openssl pkcs12 -in tempcert.pfx -nocerts -nodes -out key.pem -password pass:@OurPassword1
openssl rsa -in key.pem -out server.key
Export-Certificate -Cert $certificate -FilePath tempcert.p7b -Type p7b
openssl pkcs7 -inform DER -outform PEM -in tempcert.p7b -print_certs > server.cer
Remove-Item tempcert.*