Every now and then, you have to export a certificate in Windows, and someone forgot to check that little box to let you be able to do it… What is an enterprising SysAdmin to do? Enter Mimikatz (source), a tool that lets you patch the Windows crypto api and do several cool (and frightening) things. The process is very simple.
To Export an Unexportable Private Key: Create a temp directory Download the latest version of Mimikatz Extract the appropriate version (32 or 64 bit) to the temp directory Open an admin command prompt Change to the temp directory Run mimikatz Type crypto::capi And finally type crypto::certificates /export You’ll see all of the certificates in the MY store exported into the temp directory in pfx format.