Why am I getting this error when attempting to export a private key with Mimikatz?

I’m using Windows 10 (19041.867) and trying to use Mimikatz (2.2.0 20200918) to export a private key marked as non-exportable by the certificate export wizard.

After using the following commands:

crypto::capi
crypto::certificates /export

I get the following error for the private key export (XXX for privacy). Am I doing anything wrong?

 0. XXX
    Subject  : XXX
    Issuer   : XXX
    Serial   : XXX
    Algorithm: 1.2.840.113549.1.1.1 (RSA)
    Validity : XXX
    Hash SHA1: XXX
        Key Container  : XXX
        Provider       : Microsoft Strong Cryptographic Provider
        Provider type  : RSA_FULL (1)
ERROR kuhl_m_crypto_l_certificates ; CryptAcquireCertificatePrivateKey (0x80090016)
        Public export  : OK - 'CURRENT_USER_MY_1_MARICARMEN.der'
        Private export : ERROR kull_m_crypto_exportPfx ; PFXExportCertStoreEx/kull_m_file_writeData (0x80090016)

Am I doing anything wrong?

Aside from "us[ing] Mimikatz to export a private key marked as non-exportable"? No(t necessarily).

0x80090016 is NTE_BAD_KEYSET, which means that while the certificate is marked as having a private key, the file it should be in has been deleted.

Now you can go on the hunt for why the keyfile got deleted, which is typically that the cert got loaded from a PFX with .NET without specifying that the keyfile should live longer than the certificate object. (The possibility that this is from code that you wrote is the reason for the hedged "no")