First I just would like to mention, that my knowledge in windows authentification methods are very limited. So my question:
Is it possible to use custom credential provider in windows to log on, that accepts certificate, which I export from certificate store with private key.
As far as I know, Kerberos accepts username/password format and although certificate from smart card.
So my question is, how can I feed my exported certificate into Kerberos?
Note: The below holds assuming Microsoft did things properly and following. But Microsoft being Microsoft they didn't. Smart-Card (certificate-based) logon is only supported when using Kerberos thanks to the custom Microsoft extension to Kerberos.
So my question is, how can I feed my exported certificate into Kerberos?
Short Answer: You can't.
Long Answer: Technically, you can.
To understand this, we need to take two detours: Namely the answer to your first question and to Kerberos. Let's do Kerberos first.
So, Kerberos is a (complex) protocol that allows a client to authenticate with a (sequence of) central server(s) such that at the end the client's actual intended communication partner can be sure of the client's identity and has a shared key with them. All of this while only the client has to establish connections with the central server(s) and while the only pre-shared keys are between each party and the central server(s). Now, Kerberos relies entirely on symmetric cryptography, so from a protocol point of view authentication via asymmetric cryptography isn't (directly) an option. I'm rather confident that Windows also doesn't support this natively (short answer).
However, the answer to your question
Is it possible to use custom credential provider in windows to log on, that accepts certificate, which I export from certificate store with private key.
is yes. There is software that allows you to log-in to local Windows installations using a smart card and it's a built-in ability if the authentication is handled by a domain controller. Note though that using an encrypted exported private key isn't a sensible authentication method on its own, as you would be back to username (identifiying the relevant keyfile) and password (decrypting it) and would have gained nothing.
If you have a smart card and use this smart card to decrypt a windows password, then you can use this decrypted password for Kerberos authentication. Doing the first part is possible, as demonstrated by the software which feeds the password to the standard Windows login facilities after decryption for local logon. Doing the latter shouldn't be too hard. Please note that implementing this is likely a lot of effort and only potentially worth it in an environment where you cannot possibly switch away from using Kerberos to use "normal" domain-controller-based public-key authentication. This is why the longer answer is "you can".
