Exporting unexportable certificates

You sometimes run into cases where a certificate was imported by another sysadmin and he forgot to check the option to export the private key. If you want to export the certificate together with the private key the option would be greyed out.


Unless you have access to the original certificate there is no Windows built-in method to retrieve the certificate. Mimikatz is a nice program that hooks into the Windows NT APIs and allows you to export unexportable certificate.

To do so, run the following commands:

crypto::certificates /export



You will see that mimikatz has exported all certificates with the ones having a private key with a pfx extension as well. The pfx certificates are protected with the password “mimikatz



You will now be able to import the pfx certificate and check the option to allow the export of the private key.


  • Mimikatz on GitHub page
  • Mimikatz blog page
  • Metasploit page for Mimikatz