Export a certificate along its non exportable private key – the hard way
You want to export a certificate but its private key is marked as non exportable.
Lets export it using the hard way (a future article with demonstrate an easier method).
1/ Identify the cert sha1 hash and save it from registry to a cer file
cert –enumcerts –store=root
->9EC82D0810FACD26CF5DE736C4F17228DDF49BBC is the cert sha1 hash
->d673096e4c9c08d6fc03c64c44117795_e65f292c-6dbf-47f8-b70f-c52e116acc05 is the cert unique name
cert –dumpcert –store=root –hash=9EC82D0810FACD26CF5DE736C4F17228DDF49BBC
->you get a blob.cer i.e your cert (without the private key)
Lets convert this binary cert (DER format) to a PEM format:
cert.exe –der2pem –filename=blob.cer
->you get a blob.crt
2/ Decode dpapi blob located in C:\Users\%username%\AppData\Roaming\Microsoft\Crypto\RSA\%SID%
nthash-win64 /decodeblob /binary:d673096e4c9c08d6fc03c64c44117795_e65f292c-6dbf-47f8-b70f-c52e116acc05
->this is your encrypted (with a masterkey) DPAPI blob
Note : you can skip this test as the blob will be decrypted in step 4.
3/ Decrypt masterkey’s located in C:\Users\%username%\AppData\Roaming\Microsoft\Protect\%SID%
nthash-win64 /decodemks /binary:c:\Users\erwan\AppData\Roaming\Microsoft\Protect\S-1-5-21-2427513087-2265021005-1965656450-1001 /password:your-sha1-hash-password /save
->masterkey’s will be saved to masterkeys.ini
4/ Decrypt dpapi blob with masterkey (from masterkeys.ini)
nthash-win64 /decodeblob /binary:d673096e4c9c08d6fc03c64c44117795_e65f292c-6dbf-47f8-b70f-c52e116acc05 /save
->you get a decoded.bin
This is your decrypted DPAPI blob i.e your decrypted rsa (private) key.
5/ Convert the decrypted rsa key to a PEM format
cert.exe –rsa2pem –filename=decoded.bin
->you get a decoded.pem
Note, we could have done it in 2 steps : rsa2pvk and then pvk2pem.
6/ Create a pfx with your certificate and private key
Optionally : you can check that your certificate and private key share the same modulus.
tinyssl –print_private –filename=decoded.pem
tinyssl –print_cert –filename=blob.crt
Finally, create your pfx certificate.
tinyssl –pemtop12 –privatekey=decoded.pem –cert=blob.crt
->you get a cert.pfx, ready to import.
[…] a previous article (here), we have seen how to export a certificate and its non exportable key using a rather complex method […]