Per default, the web server template in Microsoft CA does not allow exportation of the private key once installed onto a system.
To enable this option you need to create a new WebServer template which allows just that.
As we can see from the default WebServer template, the export Private Key is unticked which is the reason for this.
The templates can be accessed from the Microsoft Certificate Authority console by right-click the folder “Template” and choose “Manage”.
Right-click the WebServer template and choose “Duplicate template”.
certsvc-duplicate
In the new template go to the tab “Request Handling” and tick off “Allow private key to be exported”.
You may also want to pop by the tab Cryptography and increase the minimum key size to something more appropriate than 1024 bits – such as 4096.
After you have copied/save the new template, it needs to be issued which is done from the Microsoft Certificate Authority console by right-click the folder “Template” and choose “New”>”Certificate Template to Issue”.