There is a way to prohibit all users (including users with administrator privileges) from exporting X.509 certificates with private keys. The ban encompasses all private keys of X.509 certificates, whether used by communities or embedded servers.
The control to disable exporting of all private keys is in the crossworks.properties file. The file is at <install directory>\conf. The property is:
privateKey.export.enable
The default value of the property is true. This means users associated with roles that permit exporting private keys can do so. Even with the property enabled, however, users can be associated with roles that block exporting private keys.
When the value is set to false, all users are prohibited from exporting private keys. This includes users, such as administrators, who are associated with roles that allow exporting private keys. When false, all user interface related to exporting private keys no longer displays.
Changes to the crossworks.properties file take effect upon saving the file. Activator does not have to be restarted.
If the privateKey.export.enable property is deleted from the crossworks.properties file, Activator behaves as though the value is true. This ensures backward compatibility with earlier versions of Activator that do not have the property in the crossworks.properties file.
This property provides an additional safeguard against private keys becoming compromised. The property does not affect exporting of public keys.