Exporting the not exportable – on the topic of Windows crypto key storage

It’s no surprise that if you store your private keys on your harddrive and not in some smart-card, TPM or HSM, that you can extract them.

I recently set up a Windows 2012 R2 server for some testing of open source client software and need to be able to look into the TLS traffic going between my client and the server. So I need the private key.

Thankfully Gentil Kiwi has written this nice tool called Mimikatz, that can extract keys that have been marked as not exportable by Windows. I have to admit though that it took me much longer than expected to get the key, mostly because I had to figure out how to use the tool properly. Good thing that the tool is open source, so in the end I just read the source code and figured out the right incantation. In case someone else needs to use the tool to extract a key from CERT_SYSTEM_STORE_LOCAL_MACHINE, here’s the commands to be used in Mimikatz:

crypto::certificates /systemstore=CERT_SYSTEM_STORE_LOCAL_MACHINE /export

You then should be presented with a pfx and a der file (in the directory from which you ran Mimikatz) for each of the certificates in this storage.

If you want to have this as nicely usable pem file containing both public and private part:

openssl pkcs12 -in CERT_SYSTEM_STORE_LOCAL_MACHINE_My_X_FOO_Bar.pfx -out keyStore.pem -nodes

If you need it for Wireshark, add the -nocerts parameter.

openssl pkcs12 -in CERT_SYSTEM_STORE_LOCAL_MACHINE_My_X_FOO_Bar.pfx -out keyStore.pem -nodes -nocerts

The password for the pfx files is mimikatz.


Tagged on: , ,