Confirm that private keys are blocked and cannot be exported.
You can verify whether a private key is blocked
from export in several ways.
Check the Key column in DeviceCertificate ManagementCertificates, then Device Certificates.
In this example, the forward-trust-certificate is blocked:
When you attempt to export a certificate whose private
key is blocked from export, the Export Private Key checkbox
is not available and you can’t export the key, you can only export
the certificate.
Use the following operational CLI command to list all
certificates on the device or in a particular Vsys that have private
keys blocked from export: