How to create a Private-Key exportable self-signed certificate?
I've tried the below template which creates the certificate and installs it in the localmachine Personal certificate store:
makecert -sk <<UniqueKeyName>> -iv RootCATest.pvk -n "CN=<<MachineName>>" -ic RootCATest.cer -sr localmachine -ss my -sky exchange -pe
RootCATest.pvk is the private key of the root CA certificate. RootCATest.cer is the public key of the root CA certificate (used for issuing certificates).
When I view it from the MMC and right click on it, properties -> export, then its private key export option is grayed out.
How to create a Private-Key exportable self-signed certificate?
Answer
Option 1
Just googled this and the most direct way is to use the "-pe" option for makecert.exe. Here is the documentation:
(A distant) Option 2
If you wanted to spend a whole bunch of time on it and don't mind it being self-certified, I'd recommend using OpenSSL. There are only a few steps:
Download the source and build openssl.exe or get a pre-compiled copy (link).
Create a self-signed cert in PEM format. Open a DOS prompt in the folder containing openssl.exe and openssl.cnf. The command below creates one that's good for roughly 10 years:
openssl req -x509 -days 3650 -newkey rsa:2048 -keyout mycert.pem -out mycert.pem -config ./openssl.cnf
Convert the PEM to a PFX:
openssl.exe pkcs12 -export -in mycert.pem -out mycert.pfx
Double-click the PFX to import it and be sure to check the "Mark this key as exportable" box on the same dialog where you enter the password for the PFX.
