ACME is all about automation and certificates are typically considered to be disposable and easily replacable. There are scenarios though where you want to manually handle a certificate and its private key.
The best way to access the private keys is to configure your renewals to save the certificate in an easily transferrable way, e.g. by using the PfxFile store plugin.
If you’re using
the default CertificateStore
plugin you can set PrivateKeyExportable to true in
settings.json to enable these certificates to be exported.
The PrivateKeyExportable setting only works for future certificates,
so if you’re in a hurry you can force the renewals using --renew --force
or from the interactive menu to get new certificates with exportable keys.
When renewal is not an option and you need to get the current certificate,
you can find a .pfx file in the CertificatePath (which defaults to
%programdata%\win-acme\$baseuri$\certificates). You can access the passwords for
these cache files from the main menu (Manage Renewals > Show details) or you
can decrypt the configuration files (More options > Decrypt) and
subsequently find the passwords in the corresponding .renewal.json files.
If you don’t want your private key to change, you can use the option
--reuse-privatekey when setting up the renewal.
By default win-acme retains a copy of the private key in its certificate cache.
These files are both encrypted and protected by access control lists in the
file system. If you disable this in settings.json by
setting Cache.ReuseDays to 0.