You want to export a certificate but its private key is marked as non exportable.
Lets export it using the hard way (a future article with demonstrate an easier method).
To realize this operation we will need:
-CAPI-FPC (here) : using windows crypto API’s (aka CAPI)
-NTHASH-FPC (here) : a tool to handle hashes and ciphers with a particular focus on windows secrets and lateral movement
-TinySSL (here) : a tool based on OpenSSL library to deal with various formats for X.509 certificates, CSRs, and cryptographic keys
1/ Identify the cert sha1 hash and save it from registry to a cer file
cert –enumcerts –store=root
->9EC82D0810FACD26CF5DE736C4F17228DDF49BBC is the cert sha1 hash
->d673096e4c9c08d6fc03c64c44117795_e65f292c-6dbf-47f8-b70f-c52e116acc05 is the cert unique name
cert –dumpcert –store=root –hash=9EC82D0810FACD26CF5DE736C4F17228DDF49BBC
->you get a blob.cer i.e your cert (without the private key)
Lets convert this binary cert (DER format) to a PEM format:
cert.exe –der2pem –filename=blob.cer
->you get a blob.crt
2/ Decode dpapi blob located in C:\Users\%username%\AppData\Roaming\Microsoft\Crypto\RSA\%SID%
nthash-win64 /decodeblob /binary:d673096e4c9c08d6fc03c64c44117795_e65f292c-6dbf-47f8-b70f-c52e116acc05
->this is your encrypted (with a masterkey) DPAPI blob
Note : you can skip this test as the blob will be decrypted in step 4.
3/ Decrypt masterkey’s located in C:\Users\%username%\AppData\Roaming\Microsoft\Protect\%SID%
nthash-win64 /decodemks /binary:c:\Users\erwan\AppData\Roaming\Microsoft\Protect\S-1-5-21-2427513087-2265021005-1965656450-1001 /password:your-sha1-hash-password /save
->masterkey’s will be saved to masterkeys.ini
4/ Decrypt dpapi blob with masterkey (from masterkeys.ini)
nthash-win64 /decodeblob /binary:d673096e4c9c08d6fc03c64c44117795_e65f292c-6dbf-47f8-b70f-c52e116acc05 /save
->you get a decoded.bin
This is your decrypted DPAPI blob i.e your decrypted rsa (private) key.
5/ Convert the decrypted rsa key to a PEM format
cert.exe –rsa2pem –filename=decoded.bin
->you get a decoded.pem
Note, we could have done it in 2 steps : rsa2pvk and then pvk2pem.
6/ Create a pfx with your certificate and private key
Optionally : you can check that your certificate and private key share the same modulus.
tinyssl –print_private –filename=decoded.pem
tinyssl –print_cert –filename=blob.crt
Finally, create your pfx certificate.
tinyssl –pemtop12 –privatekey=decoded.pem –cert=blob.crt
->you get a cert.pfx, ready to import.