Unable to use Export-PFXCertificate one a certificate whose key IS marked exportable

[scott1138]

Installed WindowsCompatibility module and imported PKI module.

Created certificate as follows:
$cert = New-SelfSignedCertificate -Subject 'test' -KeyExportPolicy Exportable -CertStoreLocation Cert:\CurrentUser\My

When exporting (and yes $pw is a securestring) I get an error that the key is not exportable:
`Export-PfxCertificate -Cert $cert -Password $pw -FilePath c:\temp\test.pfx
Cannot export non-exportable private key.

• CategoryInfo : NotSpecified: (:) [Export-PfxCertificate], Win32Exception
• FullyQualifiedErrorId : System.ComponentModel.Win32Exception,Microsoft.CertificateServices.Commands.ExportPfxCertificate
• PSComputerName : localhost
  `

If I retrieve the cert by thumbprint in PS 5 and then export, it works fine:
`$cert = ls 'Cert:\CurrentUser\My\FD5D219C9245E09C4EFA72110E6C03997C3CDC76'
Export-PfxCertificate -Cert $cert -Password $pw -FilePath c:\temp\test.pfx

Directory: C:\temp

Mode LastWriteTime Length Name

---

-a---- 8/21/2019 11:53 AM 2630 test.pfx
`

Any help would be appreciated!

[wightsci]

Still seeing this with PowerShell 7...

[gc435]

I also see this with PowerShell Core 7.0.0.

[iSazonov]

Is the issue in Windows PowerShell?

This seems to be a problem with Powershell 7, I get the following results when
I run a script that that use Export-PfxCertificate

Powershell Version : 7.0.0
Export-PfxCertificate: Cannot export non-exportable private key.

Powershell Version: 5.1.18362.628
No error and everything is fine.

[huguesBouvier]

Same issue in powershell 7.0.0

[iSazonov]

/cc @anmenaga for information

[anmenaga]

May be related to PowerShell/PowerShell#12081

[anmenaga]

Original issues was opened in August of last year.
Since then we've added builtin WinCompat functionality.
It may be worth trying this in a fresh recent version PS Core without using WindowsCompatibility module:

PS C:\> $PSVersionTable.PSVersion

Major  Minor  Patch  PreReleaseLabel BuildLabel
-----  -----  -----  --------------- ----------
7      1      0      preview.1

PS C:\> $cert = New-SelfSignedCertificate -Subject 'mytest' -KeyExportPolicy Exportable -CertStoreLocation Cert:\CurrentUser\My
PS C:\> $cert


   PSParentPath: Microsoft.PowerShell.Security\Certificate::CurrentUser\My

Thumbprint                                Subject              EnhancedKeyUsageList
----------                                -------              --------------------
8ABA70B6FAB7EEB0D6ACED618B2DC77EFF32FF1E  CN=mytest            {Client Authentication, Server Authentication}

PS C:\> Get-Module PKI

ModuleType Version    PreRelease Name                                ExportedCommands
---------- -------    ---------- ----                                ----------------
Script     1.0                   PKI                                 {Add-CertificateEnrollmentPolicyServer, Export-Certificate, Export-PfxCertificate, Get-Ce…

PS C:\>

[anmenaga]

I get the following results whenI run a script that that use Export-PfxCertificate

Does the script first retrieves the certificate object before exporting it like in PowerShell/PowerShell#12081 ? That would explain the error.