With Windows Server 2016 and Windows 10, a new "Enable Certificate Privacy" option has been implemented for exporting private key certificates via the Microsoft Management Console (MMC).
When exporting private key certificates, the certificate is exported to a PKCS#12 (.PFX) file.
Functionality
In previous Windows versions, the entire contents of the PKCS#12 file were encrypted. Without the password it was not possible to view the file, not even to read meta information.
If the option is deactivated, only the private key in the PKCS#12 file is encrypted, all other contents are thus readable without password.
On Windows Server 2016 and Windows 10 versions at that time, the option was by default deactivated.
On Windows Server 2019 and current Windows 10 versions, it is back by default activates and thus maps the identical behavior compared to previous Windows versions.
Function test
For comparison, two PKCS#12 files with the different settings as each are examined with the following command line command:
certutil -dump {file}
Option enabled
If the "Enable Certificate Privacy" option is enabled, a password is absolutely required to view the file
Option not activated
If the "Enable Certificate Privacy" option not is enabled, the public information can be viewed even without a password.
Due to this change in the application behavior, such a PKCS#12 file does not ask for a password for the private part and accordingly no test of the private key is performed.
If you want to check the function of the private key, you have to enter the password in the command line:
certutil -p {password} -dump {file}
English 
Deutsch
One thought on “Was bedeutet die Option „Enable Certificate Privacy“ beim Zertifikatexport?”
Comments are closed.