Hi there. We have just built a Windows 2008R2 Enterprise PKI. The PKI is up and running fine, however when I am trying to sign a certificate with the Root CA with the "Export Private Key" option enabled, once the certificate has been issued, the keys are not exportable. Below is the certificate inf file that was used to create the request. Note that "Exportable=TRUE" [Version] Signature="$Windows NT$" [NewRequest] Subject="CN=STG414262.clientdev.intradev.stg.com.au" KeySpec=1 KeyLength=2048 Exportable=TRUE MachineKeySet=TRUE PrivateKeyArchive=FALSE UserProtected=FALSE UseExistingKeySet=FALSE ProviderType=1 RequestType=PKCS10 ProviderName="Microsoft Strong Cryptographic Provider" KeyUsage=0xF0 Silent=FALSE SMIME=TRUE [EnhancedKeyUsageExtension] OID="1.3.6.1.5.5.7.3.1" OID="1.3.6.1.5.5.7.3.2" [RequestAttributes] CertificateTemplate="Machine" SAN="dns=stg414262.clientdev.intradev.stg.com.au" Thanks. Gerald Sullivan.

this is because CA do not store private keys. This means that you need to export public certificate from CA server and install it on a client computer (where you generated the request) by using the following command: certutil -accept certfilename.cerMy weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Check out new: PowerShell FCIV tool.

this is because CA do not store private keys. This means that you need to export public certificate from CA server and install it on a client computer (where you generated the request) by using the following command: certutil -accept certfilename.cerMy weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Check out new: PowerShell FCIV tool.

Thanks Vadims :D