Menu
I need to export private key from Windows store. What should I do if the key is marked as non-exportable? I know that it is possible, program jailbreak can export this key.
To export key I use Org.BouncyCastle.Security.DotNetUtilities.GetKeyPair() that exports key from (RSACryptoServiceProvider)cryptoProv.ExportParameters(true). Exported key I use in Org.BouncyCastle.Cms.CmsSignedDataGenerator for CMS signature.
I need solution for .Net, but any solution will be useful. Thank you.
979
Go to: Certificates > Personal > Certificates. Right-click on the certificate you wish to export and go to All Tasks and hit Export. Hit Next on the Certificate Export Wizard to begin the process. Select “Yes, export the private key” and hit next.
Jailbreak is a tool for exporting certificates marked as non-exportable from the Windows certificate store. This can help when you need to extract certificates for backup or testing. You must have full access to the private key on the filesystem in order for jailbreak to work.
If the option "Yes, export the private key" is greyed out during you export this certificate, it means the private key of this certificate cannot be exported after this certificate is enrolled/requested.
You're right, no API at all that I'm aware to export PrivateKey marked as non-exportable. But if you patch (in memory) normal APIs, you can use the normal way to export :)
There is a new version of mimikatz that also support CNG Export (Windows Vista / 7 / 2008 ...)
Run it and enter the following commands in its prompt:
privilege::debug (unless you already have it or target only CryptoApi)crypto::patchcng (nt 6) and/or crypto::patchcapi (nt 5 & 6)crypto::exportCertificates and/or crypto::exportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE The exported .pfx files are password protected with the password "mimikatz"
126
Gentil Kiwi's answer is correct. He developed this mimikatz tool that is able to retrieve non-exportable private keys.
However, his instructions are outdated. You need:
Download the lastest release from https://github.com/gentilkiwi/mimikatz/releases
Run the cmd with admin rights in the same machine where the certificate was requested
Change to the mimikatz bin directory (Win32 or x64 version)
Run mimikatz
Follow the wiki instructions and the .pfx file (protected with password mimikatz) will be placed in the same folder of the mimikatz bin
mimikatz # crypto::capi
Local CryptoAPI patchedmimikatz # privilege::debug
Privilege '20' OKmimikatz # crypto::cng
"KeyIso" service patchedmimikatz # crypto::certificates /systemstore:local_machine /store:my /export
* System Store : 'local_machine' (0x00020000)
* Store : 'my'
- example.domain.local
Key Container : example.domain.local
Provider : Microsoft Software Key Storage Provider
Type : CNG Key (0xffffffff)
Exportable key : NO
Key size : 2048
Public export : OK - 'local_machine_my_0_example.domain.local.der'
Private export : OK - 'local_machine_my_0_example.domain.local.pfx'
20
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
