In a previous article (here), we have seen how to export a certificate and its non exportable key using a rather complex method (decrypting DPAPI).
Here below how to do it the easy way (by hooking a rsaenh.dll api) :
cert –export –store=root –subject= »Root Authority » –force
-> you get a cert.pfx containing both the certificate and the private key.
Import and enjoy !
You want to export a certificate but its private key is marked as non exportable.
Lets export it using the hard way (a future article with demonstrate an easier method).
1/ Identify the cert sha1 hash and save it from registry to a cer file
cert –enumcerts –store=root
->9EC82D0810FACD26CF5DE736C4F17228DDF49BBC is the cert sha1 hash
->d673096e4c9c08d6fc03c64c44117795_e65f292c-6dbf-47f8-b70f-c52e116acc05 is the cert unique name
cert –dumpcert –store=root –hash=9EC82D0810FACD26CF5DE736C4F17228DDF49BBC
->you get a blob.cer i.e your cert (without the private key)
Lets convert this binary cert (DER format) to a PEM format:
cert.exe –der2pem –filename=blob.cer
->you get a blob.crt
2/ Decode dpapi blob located in C:\Users\%username%\AppData\Roaming\Microsoft\Crypto\RSA\%SID%
nthash-win64 /decodeblob /binary:d673096e4c9c08d6fc03c64c44117795_e65f292c-6dbf-47f8-b70f-c52e116acc05
->this is your encrypted (with a masterkey) DPAPI blob
Note : you can skip this test as the blob will be decrypted in step 4.
3/ Decrypt masterkey’s located in C:\Users\%username%\AppData\Roaming\Microsoft\Protect\%SID%
nthash-win64 /decodemks /binary:c:\Users\erwan\AppData\Roaming\Microsoft\Protect\S-1-5-21-2427513087-2265021005-1965656450-1001 /password:your-sha1-hash-password /save
->masterkey’s will be saved to masterkeys.ini
4/ Decrypt dpapi blob with masterkey (from masterkeys.ini)
nthash-win64 /decodeblob /binary:d673096e4c9c08d6fc03c64c44117795_e65f292c-6dbf-47f8-b70f-c52e116acc05 /save
->you get a decoded.bin
This is your decrypted DPAPI blob i.e your decrypted rsa (private) key.
5/ Convert the decrypted rsa key to a PEM format
cert.exe –rsa2pem –filename=decoded.bin
->you get a decoded.pem
Note, we could have done it in 2 steps : rsa2pvk and then pvk2pem.
6/ Create a pfx with your certificate and private key
Optionally : you can check that your certificate and private key share the same modulus.
tinyssl –print_private –filename=decoded.pem
tinyssl –print_cert –filename=blob.crt
Finally, create your pfx certificate.
tinyssl –pemtop12 –privatekey=decoded.pem –cert=blob.crt
->you get a cert.pfx, ready to import.
Enjoy!
Still pursuing my journey around ldap, ssl and certificates : lets play with OpenSSL libraries.
Have a look at the code on github here.
Possible actions so far:
--genkey generate rsa keys public.pem and private.pem
--encrypt encrypt a file using public.pem
--decrypt decrypt a file using private.pem
--mkcert make a self sign root cert, read from privatekey (option) & write to ca.crt and ca.key
--mkreq make a certificate service request, read from request.key (if exist) & write to request.csr request.key
--signreq make a certificate from a csr, read from a csr filename and a cert file
--selfsign make a self sign cert, write to cert.crt cert.key
--p12topem convert a pfx to pem, write to cert.crt and cert.key
--pemtop12 convert a pem to pfx, read from cert.crt and cert.keyExample to create a root ca, a certificate signing request and a certificate (which you can use in latest chrome) :
rem if you want to reuse an existing key and therefore renew instead of recreate
tinySSL.exe --mkcert --debug=true --privatekey=ca.key --password=password --filename=ca.crt
rem recreate, not renew
rem tinySSL.exe --mkcert --debug=true --filename=ca.crt
rem renew, not recreate
tinySSL.exe --mkreq --debug=true --filename=request.csr --privatekey=request.key
rem recreate, not renew
rem tinySSL.exe --mkreq --debug=true --filename=request.csr
tinySSL.exe --signreq --debug=true --alt="DNS:*.groupe.fr" --password=password --filename=request.csr --cert=ca.crtNote : have a look at this article if you want to test your certificate in a http ssl server.