Powershell self-signed certifcate private key not exportable

Using Powershell, I'm attempting to create a self-signed ssl certificate with a private key that can be exported. I've read and followed various tutorials, however the end result is always that no private is exported. I'm using Powershell because the server is running Windows Server 2016 Core edition. I've tried using the Certificate MMC console from a remote computer, however it appears not all functionality is available when doing that remotely. In any case, the various tutorials I've follow speak about the ability to export the private key, however I have yet to find a concrete example of the code which makes this work. Here is the code I have been trying:

$todaydt = Get-Date
$5years = $todaydt.AddYears(5)
$selfSignedRootCA = New-SelfSignedCertificate -DnsName SelfSignedRootCA -notafter $5years -CertStoreLocation Cert:\LocalMachine\My\ -KeyExportPolicy Exportable -KeyUsage CertSign,CRLSign,DigitalSignature -KeySpec KeyExchange -KeyLength 2048 -KeyUsageProperty All -KeyAlgorithm 'RSA' -HashAlgorithm 'SHA256' -Provider 'Microsoft Enhanced RSA and AES Cryptographic Provider'
New-SelfSignedCertificate -CertStoreLocation cert:\LocalMachine\My -DnsName "myserver.test" -notafter $5years -Signer $selfSignedRootCA -KeyUsage KeyEncipherment,DigitalSignature
$CertPassword = ConvertTo-SecureString -String "MyPassword" -Force -AsPlainText
Export-PfxCertificate -Cert cert:\LocalMachine\My\REDACTED-THUMBPRINT -FilePath C:\test.pfx -Password $CertPassword

My research suggests that the most common reason for this is that the certificate template used in creating the certificate does not allow the private key to be exported, so following these suggestions I've copied an existing Certificate Template and ensured that it is configured to allow exporting the key. But, then I don't know how/where to specify that newly-created template in any of the above commands. And my review of the documentation for these cmdlets does not show any parameter for doing so. Really stuck on this so any advice is much appreciated.


This works for me:

$selfSignedRootCA = New-SelfSignedCertificate -DnsName SelfSignedRootCA -notafter (Get-Date).AddMonths(6) -CertStoreLocation Cert:\LocalMachine\My\ -KeyExportPolicy Exportable -KeyUsage CertSign,CRLSign,DigitalSignature -KeySpec KeyExchange -KeyLength 2048 -KeyUsageProperty All -KeyAlgorithm 'RSA' -HashAlgorithm 'SHA256' -Provider 'Microsoft Enhanced RSA and AES Cryptographic Provider'
$CertPassword = ConvertTo-SecureString -String "MyPassword" -Force -AsPlainText
$selfSignedRootCA | Export-PfxCertificate -FilePath C:\test.pfx -Password $CertPassword