In a previous article (here), we have seen how to export a certificate and its non exportable key using a rather complex method (decrypting DPAPI).
Here below how to do it the easy way (by hooking a rsaenh.dll api) :
cert –export –store=root –subject= »Root Authority » –force
-> you get a cert.pfx containing both the certificate and the private key.
Import and enjoy !
You want to export a certificate but its private key is marked as non exportable.
Lets export it using the hard way (a future article with demonstrate an easier method).
1/ Identify the cert sha1 hash and save it from registry to a cer file
cert –enumcerts –store=root
->9EC82D0810FACD26CF5DE736C4F17228DDF49BBC is the cert sha1 hash
->d673096e4c9c08d6fc03c64c44117795_e65f292c-6dbf-47f8-b70f-c52e116acc05 is the cert unique name
cert –dumpcert –store=root –hash=9EC82D0810FACD26CF5DE736C4F17228DDF49BBC
->you get a blob.cer i.e your cert (without the private key)
Lets convert this binary cert (DER format) to a PEM format:
cert.exe –der2pem –filename=blob.cer
->you get a blob.crt
2/ Decode dpapi blob located in C:\Users\%username%\AppData\Roaming\Microsoft\Crypto\RSA\%SID%
nthash-win64 /decodeblob /binary:d673096e4c9c08d6fc03c64c44117795_e65f292c-6dbf-47f8-b70f-c52e116acc05
->this is your encrypted (with a masterkey) DPAPI blob
Note : you can skip this test as the blob will be decrypted in step 4.
3/ Decrypt masterkey’s located in C:\Users\%username%\AppData\Roaming\Microsoft\Protect\%SID%
nthash-win64 /decodemks /binary:c:\Users\erwan\AppData\Roaming\Microsoft\Protect\S-1-5-21-2427513087-2265021005-1965656450-1001 /password:your-sha1-hash-password /save
->masterkey’s will be saved to masterkeys.ini
4/ Decrypt dpapi blob with masterkey (from masterkeys.ini)
nthash-win64 /decodeblob /binary:d673096e4c9c08d6fc03c64c44117795_e65f292c-6dbf-47f8-b70f-c52e116acc05 /save
->you get a decoded.bin
This is your decrypted DPAPI blob i.e your decrypted rsa (private) key.
5/ Convert the decrypted rsa key to a PEM format
cert.exe –rsa2pem –filename=decoded.bin
->you get a decoded.pem
Note, we could have done it in 2 steps : rsa2pvk and then pvk2pem.
6/ Create a pfx with your certificate and private key
Optionally : you can check that your certificate and private key share the same modulus.
tinyssl –print_private –filename=decoded.pem
tinyssl –print_cert –filename=blob.crt
Finally, create your pfx certificate.
tinyssl –pemtop12 –privatekey=decoded.pem –cert=blob.crt
->you get a cert.pfx, ready to import.
Enjoy!
You have a running ldap server but you want to be able to use ssl.
For this you need:
1-A root CA (certificate authority) installed on the domain controller/ldap server in the computer « root » store
2-A CSR (certificate service request) triggered by the domain controller/ldap server
3-A CSR signed by your root ca thus giving you a certificate to be installed on the domain controller/ldap server in the computer « my » store
4-The root CA installed in the client/user certificate store
Step 1
openssl genrsa -des3 -out ca.key 4096
openssl req -new -x509 -days 3650 -key ca.key -out ca.crt
launch mmc.exe, load the certificate snap-in, select « computer account », choose the « trusted root CA » and import your ca.crt.
Step 2
With notepad, create the below request.inf file (adapt the CN with your server CN).
;----------------- request.inf -----------------
[Version]
Signature="$Windows NT$"
[NewRequest]
Subject = "CN=dc1.acme.com,OU=IT,DC=dc1,DC=acme,DC=com,O=ACME,L=New York,S=New York,C=US"
;
KeySpec = 1
KeyLength = 1024
Exportable = TRUE
MachineKeySet = TRUE
SMIME = False
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
RequestType = PKCS10
KeyUsage = 0xa0
[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1 ; this is for Server AuthenticationGenerate your csr with certreq -new request.inf server.csr.
Step 3
Sign your csr :
openssl x509 -req -days 3650 -in request.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt
launch mmc.exe, load the certificate snap-in, select « computer account », choose the « MY » store and import your server.crt.
Reboot your DC : your ldap ssl server is now operational.
Edit :
1/
It appears it is better to put the cert in the NT Directory Services (NTDS) store (choose the NTSD service rather than « computer account » in the MMC snap-in).
Indeed, most probably your computer account will have more than one cert in its trust store and NTDS will then pick randomly one of them.
2/
Although I did have time to replicate the experiment, it may be that you have to select 2 roles (versus all) : serveur authentication and client authentication.
More here.
Step 4
On your user/client, launch mmc.exe, load the certificate snap-in, select « user account », choose the « trusted root CA » store and import your ca.crt to allow your user/client to validate the server cert.