Extracting certs/private keys from certificates that disable private key exporting

make-cert-and-pk.md

Situation

• I have to use a Windows client to install a certificate (say via the Magnum PKI Client)
• I cannot export the private key for this certificate
• I am a Linux user that needs to have the cert and private key

Solution (steps)

Install/export certificate using Windows VM

1. Get yourself a Windows VM via modern.ie
   • Make sure you set up a Shared Folder so you can bring files back over to Linux
2. Install the certificate through the VM as needed
3. In Internet Explorer, click the settings icon (looks like a gear) and choose "Internet Options"
4. Click the "Content Tab"
5. Click "Certificates"
6. Click the certificate you installed (likely on the Personal tab) and click the "Export..." button
7. Click "Next" through the next few prompts in the Certificate Export Wizard
8. On the "File to Export" screen, click "Browse" and find a location (like your Desktop) to save the file to and give it a name
9. Click "Next" and "Finish"
10. Bring the certificate back over to Linux

Run mimikatz to get private key

1. Download mimikatz - a tool that will extract the private key from installed certificates
2. Extract the mimikatz files to a directory (you only need the Win32 folder)
3. Run cmd.exe as an Administrator (you may need to navigate to C:\Windows\System32\ and right-click the cmd.exe file)
4. Run the mimikatz.exe from the command prompt
5. Run the following commands:

privilege::debug
crypto::capi
crypto::keys /export

You should have a .pvk (private key) file in the same directory as mimikatz.exe now—probably just the one you installed. If you see multiple private keys, you'll have to determine which one is the one you installed.

Convert PVK to PEM

You can convert the Windows proprietary ".pvk" file to a useful ".pem" file by using the following command:

openssl rsa -inform pvk -in YOUR_PRIVATE_KEY.pvk -outform pem -out YOUR_NEW_PRIVATE_KEY.pem

Celebrate!

You now have a certificate with the private key that you can use to connect to a VPN or other networks that require certs/private keys. You can do a lot once you get this far. Check out some of the most common OpenSSL commands for a good list.

Sources & Resources

• https://github.com/gentilkiwi/mimikatz/
• http://lorands.com/2012/10/openconnect-replacement-for-cisco-anyconnect-on-linux-ubuntu/
• http://blog.gentilkiwi.com/cryptographie/openssl-conversion-pvk-microsoft-privatekey-blob
• http://musingsysadmin.com/2013/08/export-non-exportable-certificate-keys-from-store/
• https://www.youtube.com/watch?v=M3XX3CHihJY

Good stuff, thanks.
I've tried also doing the reverse (which I actually need), convert from the PEM output above back to PVK and that doesn't create the same output file as the original .pvk.

Is there something I'm missing to make that work?

Thanks
-Mike

BTW, the reverse works (pem to pvk), if your openssl has the fips module and you add -pvk-strong as a parameter.
Took a while to find that, so could be helpful if anyone else needs that.

Thanks
-Mike