68

I need to export private key from Windows store. What should I do if the key is marked as non-exportable? I know that it is possible, program jailbreak can export this key.

To export key I use Org.BouncyCastle.Security.DotNetUtilities.GetKeyPair() that exports key from (RSACryptoServiceProvider)cryptoProv.ExportParameters(true). Exported key I use in Org.BouncyCastle.Cms.CmsSignedDataGenerator for CMS signature.

I need solution for .Net, but any solution will be useful. Thank you.

xav
  • 5,452
  • 7
  • 48
  • 57
Gorf
  • 815
  • 1
  • 8
  • 12
  • FindPrivateKey.exe util (analog to CspKeyContainerInfo.UniqueKeyContainerName) can get private key file name in "Microsoft\Crypto\RSA\" folder. Are those files really contain private key and how can I decrypt key from this file? – Gorf Oct 13 '10 at 08:48

7 Answers7

59

You're right, no API at all that I'm aware to export PrivateKey marked as non-exportable. But if you patch (in memory) normal APIs, you can use the normal way to export :)

There is a new version of mimikatz that also support CNG Export (Windows Vista / 7 / 2008 ...)

  1. download (and launch with administrative privileges) : http://blog.gentilkiwi.com/mimikatz (trunk version or last version)

Run it and enter the following commands in its prompt:

  1. privilege::debug (unless you already have it or target only CryptoApi)
  2. crypto::patchcng (nt 6) and/or crypto::patchcapi (nt 5 & 6)
  3. crypto::exportCertificates and/or crypto::exportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE

The exported .pfx files are password protected with the password "mimikatz"

Dan Lenski
  • 76,929
  • 13
  • 76
  • 124
Gentil Kiwi
  • 731
  • 6
  • 4
  • Thank you. As I understand, this utility only exports all keys from the store, if the store contains too many certificates it takes a lot of time. Maybe I have not figured out, but can you export specific pfx certificate with this util? And how can I decode *.pvk file in my program? I solved my problem by integrating RSACryptoServiceProvider into CmsSignedDataGenerator. – Gorf Oct 20 '10 at 13:47
  • 3
    This tool export all key AND individual PFX of certificate/key. Maybe can I adapt the code to select only a specified certificate (it is a forensic tool not an utility ;)) For the PVK format, OpenSSL 1.x convert it without any problem :) openssl rsa -inform pvk -in fichier.pvk -outform pem -out fichier.pem – Gentil Kiwi Oct 20 '10 at 22:52
  • 13
    The commands in crypto module has changed: `crypto::cng` or `crypto::capi` or `crypto::keys /export` – hewigovens May 06 '14 at 13:46
  • 4
    Use `crypto::certificates /export /systemstore:CERT_SYSTEM_STORE_LOCAL_MACHINE` for *Computer Store* (https://github.com/gentilkiwi/mimikatz/blob/master/README.md#crypto) – Matej Feb 05 '16 at 14:47
  • Is this still valid for Windows 10? – U. Windl Sep 08 '20 at 14:02
  • 3
    @NickG / Ville, this is incorrect. The [official mimikatz releases](https://github.com/gentilkiwi/mimikatz/releases) _do not_ contain malware, at all. The tool has unfortunately been [mislabeled as malware by anti-virus software](https://github.com/gentilkiwi/mimikatz/issues/55) because it's commonly used in exploits… like any tool that can be used to extract passwords and private keys, it's susceptible to illegitimate uses. – Dan Lenski Oct 30 '20 at 06:59
26

Gentil Kiwi's answer is correct. He developed this mimikatz tool that is able to retrieve non-exportable private keys.

However, his instructions are outdated. You need:

  1. Download the lastest release from https://github.com/gentilkiwi/mimikatz/releases

  2. Run the cmd with admin rights in the same machine where the certificate was requested

  3. Change to the mimikatz bin directory (Win32 or x64 version)

  4. Run mimikatz

  5. Follow the wiki instructions and the .pfx file (protected with password mimikatz) will be placed in the same folder of the mimikatz bin

mimikatz # crypto::capi
Local CryptoAPI patched

mimikatz # privilege::debug
Privilege '20' OK

mimikatz # crypto::cng
"KeyIso" service patched

mimikatz # crypto::certificates /systemstore:local_machine /store:my /export
* System Store : 'local_machine' (0x00020000)
* Store : 'my'

  1. example.domain.local
         Key Container : example.domain.local
         Provider : Microsoft Software Key Storage Provider
         Type : CNG Key (0xffffffff)
         Exportable key : NO
         Key size : 2048
         Public export : OK - 'local_machine_my_0_example.domain.local.der'
         Private export : OK - 'local_machine_my_0_example.domain.local.pfx'
Community
  • 1
  • 1
Zanon
  • 29,231
  • 20
  • 113
  • 126
  • 1
    all store locations see https://msdn.microsoft.com/en-us/library/windows/desktop/aa388136.aspx and in addition, please mention the password for all exported pfx is "mimikatz" – Bernhard Oct 13 '16 at 08:28
  • @Bernhard, I've edited to add the info about the password. Thank you. – Zanon Oct 13 '16 at 12:19
  • 1
    This should definitely be upvoted. It just saved my backside when I ordered a certificate and when creating the request in Windows failed to mark the key as exportable... :| – MBender Feb 28 '18 at 13:06
  • 2
    Identified as a threat and access denied by TrendMicro: https://www.trendmicro.com/vinfo/us/threat-encyclopedia/search/hktl_mimikatz64 – Kashyap Mar 13 '18 at 21:35
  • 1
    When I run `privilege::debug` I get `ERROR kuhl_m_privilege_simple ; RtlAdjustPrivilege (20) c0000061`. I was using mimikatz 2.2.0 (x64) in Windows 10.0.18363.1016. – U. Windl Sep 09 '20 at 07:14
24

There is code and binaries available here for a console app that can export private keys marked as non-exportable, and it won't trigger antivirus apps like mimikatz will.

The code is based on a paper by the NCC Group. will need to run the tool with the local system account, as it works by writing directly to memory used by Windows' lsass process, in order to temporarily mark keys as exportable. This can be done using PsExec from SysInternals' PsTools:

  1. Spawn a new command prompt running as the local system user:

    PsExec64.exe -s -i cmd

  2. In the new command prompt, run the tool:

    exportrsa.exe

  3. It will loop over every Local Computer store, searching for certificates with a private key. For each one, it will prompt you for a password - this is the password you want to secure the exported PFX file with, so can be whatever you want

Shortcuts to needed files:

Dan Lenski
  • 76,929
  • 13
  • 76
  • 124
Cocowalla
  • 13,822
  • 6
  • 66
  • 112
  • 1
    This appears to work. It prompts me for a password for each file, then says it successfully exported to "4.pfx" -- but I can't find that file. Where does it export to? – Judah Gabriel Himango Aug 13 '19 at 16:32
  • 2
    I found it: it exported to c:\windows\syswow64 on my 64 bit machine. – Judah Gabriel Himango Aug 13 '19 at 16:33
  • 3
    By far the cleanest and easiest solution. A note about the -s option passed to PSexec - check what it does as this will affect what certificate stores are visible to exportrsa. Not needed for personal store. – petkov.np Aug 27 '19 at 10:13
  • 3
    This is a great solution. I'm finally able to work on my mac, although my admins say it's not possible :D – Denis V Jun 11 '20 at 15:40
  • @denis-v is it a WiFi certificate by chance? If so, I'd love to hear how you got that to work on your Mac! – Cocowalla Jun 11 '20 at 18:35
  • @Cocowalla well, I think this certificate is also used for WiFi, but we also have a guest network and as such, I don't actually need WiFi authentication with a certificate. Just didn't try. – Denis V Jun 11 '20 at 18:39
  • 2
    Worth mentioning that program mentioned here worked for me without PsExec64, so in some cases cmd from under Admin account is enough. But I was exporting certificate from UserStore, not from a system one. – Yura Sep 08 '20 at 08:48
  • When I tried it in Windows 10 using an administrative user I got `Couldn't install PSEXESVC service: Permission denied` for `PsExec64.exe -s -i cmd`. – U. Windl Sep 09 '20 at 06:38
  • @u-windl did you run it in an elevated prompt, not "just" as an admin? If so, perhaps there is a GPO preventing something that PsExec needs – Cocowalla Sep 09 '20 at 09:44
  • Every cert comes up as Localhost or my username or an unrelated guid, which does not match up with what i see in certlm. how can I identify which output cert is the one i wanted to convert? are there command line options for this app that i'm not seeing? – Jody Sowald Jan 04 '21 at 20:05
  • @JodySowald might depend if you're looking at certificates for "My user account" or for "Computer account" - if you open `mmc`, you can choose to add the cert snapin for either. – Cocowalla Jan 04 '21 at 21:24
  • @Cocowalla so i have imported my cert to current user. which is my admin account first.last. i have opened an admin cmd and run cd to pstools,then PsExec64.exe -s -u first.last -i cmd. and then in the new cmd i cd to exportrsa's release folder and simply run exportrsa.exe. I expect that this will request that i give a password for every cert under my username. however i am asked for 8 certs 6 of which are all referred to as localhost and one guid and one with my username. i have found the latter two in mmc. but the cert i have imported does not appear. am i misunderstanding the steps outlined? – Jody Sowald Jan 05 '21 at 19:50
  • @JodySowald it's been a while since I used this, but I just took a quick look at the code, and I can see that it will iterate over *every* "Local Computer" store, and try to export every certificate that has a private key. So, as-is, it won't work with certs in the "Current User" stores. – Cocowalla Jan 05 '21 at 20:37
  • Following the instructions above, the export isn't working for me. I get a successfully exported message but the output PFX is 0 bytes. – dxk3355 Nov 01 '21 at 14:05
  • 1
    If you know the key you want to export is from CryptoAPI (not CNG), you do not need to use PsExec and will save a little potential troubleshooting by running exportrsa.exe directly – jkmartindale Mar 01 '22 at 23:08
  • 1
    this solution works in my case for windows server 2019, the important is the account needs to have 'Full Control' in the private key before running the exportrsa.exe. Thanks a lot! – Nhon Tran Nov 07 '22 at 10:03
  • 1
    It still works under a windows server 2022 with just admin account. would be cool to be allowable to export only what we need. – Jorge Iván Burgos Aguilar Jan 19 '23 at 16:03
18

I wanted to mention Jailbreak specifically (GitHub):

Jailbreak

Jailbreak is a tool for exporting certificates marked as non-exportable from the Windows certificate store. This can help when you need to extract certificates for backup or testing. You must have full access to the private key on the filesystem in order for jailbreak to work.

Prerequisites: Win32

  • Download the executable binaries for your version of Windows (e.g. jailbreak64.exe).

  • Start an elevated command prompt.

  • Run the command jailbreak64.exe %WINDIR%\system32\mmc.exe %WINDIR%\system32\certlm.msc -64 (note - this is not quite the same as the guidance on github. certlm.msc is used on Windows 2016 and 2019 to bring up the local machine certificate store).

Ian Boyd
  • 246,734
  • 253
  • 869
  • 1,219
  • Worked for me, Windows 10 Pro 1703. – RedShift Nov 07 '17 at 10:07
  • It works on 64-bit systems (like Windows 7 x64), but will not work for Local Machine store on W2k12R2. – StanTastic Apr 18 '18 at 07:23
  • The first link results in "404". – U. Windl Sep 08 '20 at 14:06
  • This answer definitely needs more work: What is the actual procedure? Trying it (both, 32 and 64 bit) in Windows 10 64-bit ([Version 10.0.18363.1016]) I only got `CreateProces failed with error code = 740`. – U. Windl Sep 09 '20 at 06:22
  • The other thing is: If I run the command without jailbreak, I can only see the user certificates of the administrative user, not the user I'm interested in. – U. Windl Sep 09 '20 at 06:28
3

Unfortunately, the tool mentioned above is blocked by several antivirus vendors. If this is the case for you then take a look at the following.

Open the non-exportable cert in the cert store and locate the Thumbprint value.

Next, open regedit to the path below and locate the registry key matching the thumbprint value.

An export of the registry key will contain the complete certificate including the private key. Once exported, copy the export to the other server and import it into the registry.

The cert will appear in the certificate manager with the private key included.

Machine Store: HKLM\SOFTWARE\Microsoft\SystemCertificates\MY\Certificates

User Store: HKCU\SOFTWARE\Microsoft\SystemCertificates\MY\Certificates

In a pinch, you could save the export as a backup of the certificate.

stackprotector
  • 10,498
  • 4
  • 35
  • 64
Ernest Correale
  • 451
  • 3
  • 5
  • 4
    Just checked it, and private key is not there - just pointer to some SID, probably file on disk (that's encrypted). So I don't think this approach will work. – StanTastic Apr 18 '18 at 07:22
  • 1
    It's in `%APPDATA%\Microsoft\Crypto\RSA\$YOURSID` ... I intentionally used the invalid from `$YOURSID` as a placeholder as you need to figure out your own SID. Probably easiest to do with `regedit` under `HKEY_USERS` ... on a single-user machine it would in all likelihood be the SID ending in the RID `-1000` ... there should be a corresponding `_Classes` key. You can also use `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList` to figure out which SID corresponds to your username. Last but not least `psgetsid %USERDOMAIN%\%USERNAME%` from Microsoft/Sysinternals. – 0xC0000022L May 31 '21 at 19:38
  • 1
    I can confirm that it works for `LocalMachine` certificates. Be aware that the keys are stored at `HKLM\SOFTWARE\Microsoft\SystemCertificates\MY\Keys`. So it's better to export `HKLM\SOFTWARE\Microsoft\SystemCertificates\MY` and edit the text file according to your needs afterwards. – stackprotector Jun 22 '22 at 14:13
  • Worked for exporting private key from Windows 2012 to Windows 2019! – bgStack15 Oct 25 '22 at 17:02
1

You might need to uninstall antivirus (in my case I had to get rid of Avast).

This makes sure that crypto::cng command will work. Otherwise it was giving me errors:

mimikatz $ crypto::cng
ERROR kull_m_patch_genericProcessOrServiceFromBuild ; OpenProcess (0x00000005)

After removing Avast:

mimikatz $ crypto::cng
"KeyIso" service patched

Magic. (:

BTW

Windows Defender is another program blocking the program to work, so you will need also to disable it for the time of using program at least.

Daniel Kmak
  • 18,164
  • 7
  • 66
  • 89
0

If it's issued by digicert You can use the DigiCert Certificate Utility for Windows. Do the 'Repair' on the server it was created on. Then you can export it to like c:\temp as .pfx. This worked for me with a real ssl cert.

MTMDev
  • 181
  • 1
  • 7