If you use the SCP operational CLI command to import
a certificate or to import a private key for a certificate, you
can still block export of the private key:
Each
of the preceding CLI commands can also include keywords to specify
the source, the certificate name, and other parameters that are
not shown.
If you use the SCP operational CLI command to export
a certificate and include its private key (scp export certificate passphrase <phrase> remote-port <1-65536> to <destination> certificate-name <name> include-key <yes | no> format <der | pem | pkcs10 | pkcs12>),
and if the certificate’s private key is blocked, the command fails
and returns an error message because you cannot export a blocked
private key.