You want to export a certificate but its private key is marked as non exportable.<\/p>\n\n\n\n
Lets export it using the hard way (a future article with demonstrate an easier method).<\/p>\n\n\n\n
To realize this operation we will need:<\/p>\n\n\n\n
-CAPI-FPC (here<\/a>) : using windows crypto API’s (aka CAPI)<\/p>\n\n\n\n -NTHASH-FPC (here<\/a>) : a tool to handle hashes and ciphers with a particular focus on windows secrets and lateral movement<\/p>\n\n\n\n -TinySSL (here<\/a>) : a tool based on OpenSSL library to deal with various formats for X.509 certificates, CSRs, and cryptographic keys<\/p>\n\n\n\n <\/p>\n\n\n\n 1\/ Identify the cert sha1 hash and save it from registry to a cer file<\/strong> ->d673096e4c9c08d6fc03c64c44117795_e65f292c-6dbf-47f8-b70f-c52e116acc05 is the cert unique name cert –dumpcert –store=root –hash=9EC82D0810FACD26CF5DE736C4F17228DDF49BBC<\/em> Lets convert this binary cert (DER format) to a PEM format:<\/p>\n\n\n\n cert.exe –der2pem –filename=blob.cer<\/em><\/p>\n\n\n\n ->you get a blob.crt<\/p>\n\n\n\n 2\/ Decode dpapi blob located in C:\\Users\\%username%\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\%SID%<\/strong> ->this is your encrypted (with a masterkey) DPAPI blob<\/p>\n\n\n\n Note : you can skip this test as the blob will be decrypted in step 4.<\/p>\n\n\n\n 3\/ Decrypt masterkey’s located in C:\\Users\\%username%\\AppData\\Roaming\\Microsoft\\Protect\\%SID%<\/strong> ->masterkey’s will be saved to masterkeys.ini<\/p>\n\n\n\n 4\/<\/strong> Decrypt dpapi blob with masterkey (from masterkeys.ini)<\/strong> ->you get a decoded.bin 5\/ Convert the decrypted rsa key to a PEM format<\/strong><\/p>\n\n\n\n cert.exe –rsa2pem –filename=decoded.bin<\/em><\/p>\n\n\n\n ->you get a decoded.pem<\/p>\n\n\n\n Note, we could have done it in 2 steps : rsa2pvk and then pvk2pem.<\/p>\n\n\n\n 6\/<\/strong> Create a pfx with your certificate and private key<\/strong><\/p>\n\n\n\n Optionally : you can check that your certificate and private key share the same modulus.<\/p>\n\n\n\n tinyssl –print_private –filename=decoded.pem<\/em><\/p>\n\n\n\n tinyssl –print_cert –filename=blob.crt<\/em><\/p>\n\n\n\n Finally, create your pfx certificate.<\/p>\n\n\n\n tinyssl –pemtop12 –privatekey=decoded.pem –cert=blob.crt<\/em><\/p>\n\n\n\n ->you get a cert.pfx, ready to import.<\/p>\n\n\n\n Enjoy!<\/p>\n","protected":false},"excerpt":{"rendered":" You want to export a certificate but its private key is marked as non exportable. Lets export it using the hard way (a future article with demonstrate an easier method). To realize this operation we will need: -CAPI-FPC (here) : using windows crypto API’s (aka CAPI) -NTHASH-FPC (here) : a tool to handle hashes and […]<\/a><\/p>\n","protected":false},"author":7,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[132,135,129],"tags":[],"class_list":["post-2413","post","type-post","status-publish","format-standard","hentry","category-openssl","category-rsa","category-ssl","category-132-id","category-135-id","category-129-id","post-seq-1","post-parity-odd","meta-position-corners","fix"],"_links":{"self":[{"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=\/wp\/v2\/posts\/2413","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=\/wp\/v2\/users\/7"}],"replies":[{"embeddable":true,"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2413"}],"version-history":[{"count":12,"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=\/wp\/v2\/posts\/2413\/revisions"}],"predecessor-version":[{"id":2489,"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=\/wp\/v2\/posts\/2413\/revisions\/2489"}],"wp:attachment":[{"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2413"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2413"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2413"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
cert –enumcerts –store=root<\/em>
->9EC82D0810FACD26CF5DE736C4F17228DDF49BBC is the cert sha1 hash<\/p>\n\n\n\n
<\/p>\n\n\n\n
->you get a blob.cer i.e your cert (without the private key)<\/p>\n\n\n\n
nthash-win64 \/decodeblob \/binary:d673096e4c9c08d6fc03c64c44117795_e65f292c-6dbf-47f8-b70f-c52e116acc05<\/em><\/p>\n\n\n\n
nthash-win64 \/decodemks \/binary:c:\\Users\\erwan\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-2427513087-2265021005-1965656450-1001 \/password:your-sha1-hash-password \/save<\/em><\/p>\n\n\n\n
nthash-win64 \/decodeblob \/binary:d673096e4c9c08d6fc03c64c44117795_e65f292c-6dbf-47f8-b70f-c52e116acc05 \/save<\/em><\/p>\n\n\n\n
This is your decrypted DPAPI blob i.e your decrypted rsa (private) key.<\/p>\n\n\n\n