There is no resolution as this is working as designed. However, if one wants to double-check we are talking abut teh same certificate one can follow this procedure:
The CA PAM Client certificates are in the CA PAM Client directory, in a file called cacerts, so if one know the alias of the certificate one is trying to check (which will show when you open the properties of the certificate in the PAM Client Certificate Store tab) one can do
keytool -list -rfc -keystore cacerts -alias <certificate_alias_here> | openssl x509 -inform pem -pubkey -noout
That uses keytool to export the certificate to a x509 format and then openssl to retrieve the key. It will ask for a password which is blank by default.
If one then exports the certificate from Windows in der format one can do as before
openssl x509 -inform der -pubkey -noout -in <certificate_exported_from_windows_here>
Comparing the keys, both should be the same