Where does Microsoft store the private key for a CA

Question

I've inherited an AD-enabled Microsoft Server 2016 system whose sole purpose is to create certificates. There appears to be a script (or perhaps template?) that takes "soon to be expiring" certs and re-generates a new certificate with a later expiration date - all certs (current and expired) are listed within the Certificate Authority MMC and appear to be requested by users that have either left, or their accounts have been disabled, so how they're continuing to run is ...???

However, I now have the requirement to take one of these certificates and import it into AWS' Certificate Manager, but in order to do so, I have to provide the private key to the associated generated certificate.

I've tried a number of Powershell scripts that interrogates the Certificate Authority > Issued Certificates and picks my certificate and checks to see if it has a private key included with it, all of which came up blank (which does makes sense - the public and private keys should be separated).

I've also read that the private keys are stored on the local CA system in C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys and whilst I see files there, it appears that they're named according to GUIDs. I've also seen that there are a number of files (in the same ...\RSA\MachineKeys folder) residing on the Domain Controller.

My assumptions thus far are:

1. There must be a private key accessible by my CA because these certificates do get renewed
2. I'm assuming that the files in the MachineKeys folder could well be the private keys associated to a specific machines' certificates

Therefore, I respectfully ask the SO community:

1. Does the MachineKeys folder hold the private keys to these certificates?
2. If so
   1. Are the files those local to the CA server itself, or are they copied and held on the Domain Controller?
   2. How can I link the names of the files to the certificates that have been generated?
   3. I appreciate that OpenSSL may not work, but would Powershell be able to display the private key in a Base64 manner so that I can import both the certificate and it's private key into AWS ACM?
3. If not: where can/should I start looking for these private keys?! Is there a subsequent utility that I should be using.

Additionally, I have created a backup of the CA (CA MMC > Select local server > All Tasks > Back up CA) in which I provided a password as part of the wizard, but I'm not sure that's really going to give me what I need. It produced a PFX file, a DataBase subfolder with a .DAT, txt and EDB file in it.

Answer 1

So it appears that my understanding of MS CA services is a little sketchy but it's totally possible to use a separate AD connected system and load up certlm.msc (as Administrator) and generate a new certificate (including making the private key exportable) that supercedes any prior ones (by date) using the same Common Name / SAN. Being an AD connected system, the certificate will end up being listed in the AD Root CA's "Issued Certificates" list because that CA is within the certificate chain.

Once generated you can export the certificate (typically in the generating system's Personal\Certificates store unless you chose to install it elsewhere) as well as the private key (again, if chosen during the certificate generation wizard) via the standard "All Tasks > Export" wizard. From there, the OpenSSL utility can be used to convert PFX (PCKS#12) to PEM and the certificate, the private key and the chain can be reviewed.