-1

Problem

Like many others, I am trying to export the private key associated with my .cer file to convert to .pfx. There are a number of hacked solutions e.g. How to export private key from Windows Certificate Manager?, http://terenceluk.blogspot.com/2020/10/export-certificate-that-does-not-allow.html

but I wanted to focus particularly on https://www.yuenx.com/2022/certificate-security-export-cert-with-non-exportable-private-key-marked-as-not-exportable-windows-pki/ since it does not appear to require any 3rd party tools. Following the instructions there,

Attempts

I am able to export what seems to be my private key. So, I attempted to create a .key file from the private key information in the generated xml-formatted .reg file (by copying the data in the <BA> tag into the .key file as such):

-----BEGIN RSA PRIVATE KEY-----
<BA> tag content
-----END RSA PRIVATE KEY-----

and then create the pfx file using openssl:

openssl pkcs12 -export -out test.pfx -inkey test.key -in test.cer where test.cer is the certificate exported from the Windows Certificate Store. However, I get the following error:

openssl pkcs12 -export -out test.pfx -inkey test.key -in test.cer
unable to load private key
10208:error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag:crypto\asn1\tasn_dec.c:1149:
10208:error:0D06C03A:asn1 encoding routines:asn1_d2i_ex_primitive:nested asn1 error:crypto\asn1\tasn_dec.c:713:
10208:error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error:crypto\asn1\tasn_dec.c:646:Field=version, Type=RSAPrivateKey
10208:error:04093004:rsa routines:old_rsa_priv_decode:RSA lib:crypto\rsa\rsa_ameth.c:142:
10208:error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag:crypto\asn1\tasn_dec.c:1149:
10208:error:0D06C03A:asn1 encoding routines:asn1_d2i_ex_primitive:nested asn1 error:crypto\asn1\tasn_dec.c:713:
10208:error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error:crypto\asn1\tasn_dec.c:646:Field=version, Type=PKCS8_PRIV_KEY_INFO
10208:error:0907B00D:PEM routines:PEM_read_bio_PrivateKey:ASN1 lib:crypto\pem\pem_pkey.c:88:

There are two explanations for this error and I don't know how to diagnose either:

  1. I am not providing the right encryption tag in the header/footer of the .key file
  2. The <BA> tag content is not actually the private key.

If the problem is 1), what would be the correct header/footer?

If the problem is 2), what is that content? Is it the public key for the .cer file?

Sterling Butters
  • 1,024
  • 3
  • 20
  • 41
  • 1
    There's no private key there, just the identifier of where the private key lives on disk. Since MMC sees the identifier it'll show the "you have a private key" icon, but I don't believe those instructions actually work. Even if they somehow do, you're still looking at a private Windows format, not a standardized file format, so you can't just copy/paste it with a PEM header and have a private key. – bartonjs Aug 08 '23 at 19:36
  • @bartonjs so sounds like problem 2). Any workarounds you know of that don't involve 3rd party software? – Sterling Butters Aug 08 '23 at 19:39
  • Nope. After all, the Windows certificates and keys team wants the feature to work as advertised. Anything that can bypass it wouldn't be built into the OS itself and is considered (by them) to be a "nefarious hacking tool". :) – bartonjs Aug 08 '23 at 19:42
  • @bartonjs booo. downvote for windows lol – Sterling Butters Aug 08 '23 at 19:48
  • @bartonjs It *could* be a private key, from the description of the process at the OP's link, but in a different format from one that would work in a PEM file. It wouldn't surprise me if the bytes were backwards, too. – Andrew Henle Aug 08 '23 at 23:24
  • My understanding is that public keys are stored in the registry, but private keys in the file system. Instructions on how to find the private key file: https://www.pkisolutions.com/the-case-of-accidentally-deleted-user-certificates/ Certutil command shows filename as "Unique container name". On my PC, private key for a self-signed cert was found in C:\ProgramData\Microsoft\Crypto\Keys\ However, you'll need to figure out how to convert it to format understandable by openssl – MikeSh Aug 09 '23 at 13:48
  • @MikeSh I was actually looking into that and tried operating openssl on those files directly but as you pointed out, openssl errors out on the format. Guess I'll open up a new post asking about this. Thanks! – Sterling Butters Aug 09 '23 at 16:02
  • @MikeSh Looks like they are separately encrypted (see comments): https://superuser.com/questions/1061638/where-are-certificate-private-keys-stored-in-windows-7 – Sterling Butters Aug 09 '23 at 16:09
  • @AndrewHenle I believe the registry value is in the format .NET calls "SerializedCert", which includes the full certificate and any attached properties from a Windows Cert Store. One such property is the 3-part identifier of how to load the private key, which is why the "you have a private key" icon is present after copying it to a different computer. – bartonjs Aug 09 '23 at 17:46
  • Private key files are definitely encrypted. Most probably using native Data Protection Application Programming Interface (DPAPI). That means if have admin access to the server, then you can start a process as cert owner ("SYSTEM" in your case) and then theoretically you decript private keys. Problem is to figure out correct combination of cryptographic API function calls. It is definitely not an easy task... – MikeSh Aug 13 '23 at 23:53

0 Answers0