SslExportKey function

The SslExportKey function returns an Secure Sockets Layer protocol (SSL) session key or public ephemeral key into a serialized BLOB.


  _In_      NCRYPT_PROV_HANDLE hSslProvider,
  _In_      NCRYPT_KEY_HANDLE  hKey,
  _In_      LPCWSTR            pszBlobType,
  _Out_opt_ PBYTE              pbOutput,
  _In_      DWORD              cbOutput,
  _Out_     DWORD              *pcbResult,
  _In_      DWORD              dwFlags


hSslProvider [in]

The handle of the SSL protocol provider instance.

hKey [in]

The handle of the key to export.

When you are not specifying a key, set this parameter to NULL.

Note  A hKey handle is obtained by calling the SslOpenPrivateKey function. Handles obtained from the NCryptOpenKey function are not supported.
pszBlobType [in]

A null-terminated Unicode string that contains an identifier that specifies the type of BLOB to export. This can be one of the following values.


Export a Diffie-Hellman public key. The pbOutput buffer receives a BCRYPT_DH_KEY_BLOB structure immediately followed by the key data.


Export an elliptic curve cryptography (ECC) public key. The pbOutput buffer receives a BCRYPT_ECCKEY_BLOB structure immediately followed by the key data.


Export a symmetric key in a format that is specific to a single cryptographic service provider (CSP). Opaque BLOBs are not transferable and must be imported by using the same cryptographic service provider (CSP) that generated the BLOB.


Export an RSA public key. The pbOutput buffer receives a BCRYPT_RSAKEY_BLOB structure immediately followed by the key data.


pbOutput [out, optional]

The address of a buffer that receives the key BLOB. The cbOutput parameter contains the size of this buffer. If this parameter is NULL, this function will place the required size, in bytes, in the DWORD pointed to by the pcbResult parameter.

cbOutput [in]

The size, in bytes, of the pbOutput buffer.

pcbResult [out]

The address of a DWORD variable that receives the number of bytes copied to the pbOutput buffer. If the pbOutput parameter is set to NULL when the function is called, the required size for the pbOutput buffer, in bytes, is returned in the DWORD pointed to by this parameter.

dwFlags [in]

Reserved for future use.

Return value

If the function succeeds, it returns zero.

If the function fails, it returns a nonzero error value.

Possible return codes include, but are not limited to, the following.

Return code/valueDescription

One of the provided handles is not valid.



The SslExportKey function facilitates transporting session keys from one process to another as well as exporting the public portion an ephemeral key.

When exporting session keys, the BLOB type is opaque, meaning that the format of the BLOB is irrelevant as long as both the SslExportKey and SslImportKey functions can interpret it.

When exporting the public portion of an ephemeral key the BLOB type must be the appropriate type, such as NCRYPT_DH_PUBLIC_BLOB or NCRYPT_ECCPUBLIC_BLOB.


Minimum supported client

Windows Vista [desktop apps only]

Minimum supported server

Windows Server 2008 [desktop apps only]