Export a certificate along its non exportable private key – the hard way

 openssl, rsa, ssl  Add comments
Mar 262023
 

You want to export a certificate but its private key is marked as non exportable.

Lets export it using the hard way (a future article with demonstrate an easier method).

To realize this operation we will need:

-CAPI-FPC (here) : using windows crypto API’s (aka CAPI)

-NTHASH-FPC (here) : a tool to handle hashes and ciphers with a particular focus on windows secrets and lateral movement

-TinySSL (here) : a tool based on OpenSSL library to deal with various formats for X.509 certificates, CSRs, and cryptographic keys

1/ Identify the cert sha1 hash and save it from registry to a cer file
cert –enumcerts –store=root
->9EC82D0810FACD26CF5DE736C4F17228DDF49BBC is the cert sha1 hash

->d673096e4c9c08d6fc03c64c44117795_e65f292c-6dbf-47f8-b70f-c52e116acc05 is the cert unique name

cert –dumpcert –store=root –hash=9EC82D0810FACD26CF5DE736C4F17228DDF49BBC
->you get a blob.cer i.e your cert (without the private key)

Lets convert this binary cert (DER format) to a PEM format:

cert.exe –der2pem –filename=blob.cer

->you get a blob.crt

2/ Decode dpapi blob located in C:\Users\%username%\AppData\Roaming\Microsoft\Crypto\RSA\%SID%
nthash-win64 /decodeblob /binary:d673096e4c9c08d6fc03c64c44117795_e65f292c-6dbf-47f8-b70f-c52e116acc05

->this is your encrypted (with a masterkey) DPAPI blob

Note : you can skip this test as the blob will be decrypted in step 4.

3/ Decrypt masterkey’s located in C:\Users\%username%\AppData\Roaming\Microsoft\Protect\%SID%
nthash-win64 /decodemks /binary:c:\Users\erwan\AppData\Roaming\Microsoft\Protect\S-1-5-21-2427513087-2265021005-1965656450-1001 /password:your-sha1-hash-password /save

->masterkey’s will be saved to masterkeys.ini

4/ Decrypt dpapi blob with masterkey (from masterkeys.ini)
nthash-win64 /decodeblob /binary:d673096e4c9c08d6fc03c64c44117795_e65f292c-6dbf-47f8-b70f-c52e116acc05 /save

->you get a decoded.bin
This is your decrypted DPAPI blob i.e your decrypted rsa (private) key.

5/ Convert the decrypted rsa key to a PEM format

cert.exe –rsa2pem –filename=decoded.bin

->you get a decoded.pem

Note, we could have done it in 2 steps : rsa2pvk and then pvk2pem.

6/ Create a pfx with your certificate and private key

Optionally : you can check that your certificate and private key share the same modulus.

tinyssl –print_private –filename=decoded.pem

tinyssl –print_cert –filename=blob.crt

Finally, create your pfx certificate.

tinyssl –pemtop12 –privatekey=decoded.pem –cert=blob.crt

->you get a cert.pfx, ready to import.

Enjoy!

  One Response to “Export a certificate along its non exportable private key – the hard way”

  1. Export a certificate along its non exportable key – the easy way – Erwan's Blog says:
    30 mars 2023 at 19 h 31 min

    […] a previous article (here), we have seen how to export a certificate and its non exportable key using a rather complex method […]

 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

(required)

(required)

Ce site utilise Akismet pour réduire les indésirables. En savoir plus sur comment les données de vos commentaires sont utilisées.