Changing a Certificate Key Type from Signature to Exchange

Switching a certificate from ‘Signature’ to ‘Exchange’, or the reverse, is fairly easy. Just use the certutil utility.

First, it is best to check the Key Type really is Signature.

Open an administrative command window on a computer where the certificate is installed (PowerShell also works).  Assuming the certificate is in the personal store, type the command:

 certutil -store -v My | findstr "CN= Provider KeySpec"

If it is in a PFX file:

 certutil -v -p "password" -dump mycert.pfx  | findstr "CN= Name= Provider KeySpec"
       DNS Name=*
     KeySpec = 1 -- AT_KEYEXCHANGE
   Provider = Microsoft RSA SChannel Cryptographic Provider
   ProviderType = c 

Find the certificate and the values ‘KeySpec’ and ‘Provider’.  “KeySpec = 1 — AT_KEYEXCHANGE” is  Key Type ‘Exchange’.  “KeySpec = 2 — SIGNATURE”  is Key Type ‘Signature’. The Provider value will tell you the Cryptographic Provider used.

To change the KeySpec value is easy.  Many values can be changed with certutil on import.  Here is the basic process:

  1. If you don’t already have a PFX, export the certificate to a PFX file including the private key.
  2. Ensure the certificate is NOT in the store you intend to import it into in step 3.
  3. Import the PFX using certutil.
  4. If you need to install the updated certificate elsewhere, re-export the certificate to a new PFX with the Key Type set to the new setting.

Step 3 is the key to the change.  Import the certificate using  ‘-importPFX’ with either the option ‘AT_KEYEXCHANGE’ or ‘AT_SIGNATURE’ depending what you want to set it to.   For Example:

certutil -importPFX {PFXfile} AT_KEYEXCHANGE


Leave a Comment