How to export non-exportable private key from store

Question

I need to export private key from Windows store. What should I do if the key is marked as non-exportable? I know that it is possible, program jailbreak can export this key.

To export key I use Org.BouncyCastle.Security.DotNetUtilities.GetKeyPair() that exports key from (RSACryptoServiceProvider)cryptoProv.ExportParameters(true). Exported key I use in Org.BouncyCastle.Cms.CmsSignedDataGenerator for CMS signature.

I need solution for .Net, but any solution will be useful. Thank you.

User · Accepted Answer

You re right  no API at all that I m aware to export PrivateKey marked as non-exportable  But if you patch  in memory  normal APIs  you can use the normal way to export    There is a new version of mimikatz that also support CNG Export  Windows Vista   7   2008       download  and launch with administrative privileges    http   blog gentilkiwi com mimikatz  trunk version or last version   Run it and enter the following commands in its prompt   privilege  debug  unless you already have it or target only CryptoApi  crypto  patchcng  nt 6  and or crypto  patchcapi  nt 5  amp  6  crypto  exportCertificates and or crypto  exportCertificates CERT SYSTEM STORE LOCAL MACHINE  The exported  pfx files are password protected with the password  quot mimikatz quot

User · Answer

You might need to uninstall antivirus  in my case I had to get rid of Avast    This makes sure that crypto  cng command will work  Otherwise it was giving me errors   mimikatz   crypto  cng ERROR kull m patch genericProcessOrServiceFromBuild   OpenProcess  0x00000005    After removing Avast   mimikatz   crypto  cng  KeyIso  service patched   Magic      BTW  Windows Defender is another program blocking the program to work  so you will need also to disable it for the time of using program at least

User · Answer

Unfortunately  the tool mentioned above is blocked by several antivirus vendors   If this is the case for you then take a look at the following   Open the non-exportable cert in the cert store and locate the Thumbprint value     Next  open regedit to the path below and locate the registry key matching the thumbprint value     An export of the registry key will contain the complete certificate including the private key   Once exported  copy the export to the other server and import it into the registry     The cert will appear in the certificate manager with the private key included   Machine Store  HKLM SOFTWARE Microsoft SystemCertificates MY Certificates User Store  HKCU SOFTWARE Microsoft SystemCertificates MY Certificates  In a pinch  you could save the export as a backup of the certificate

User · Answer

i wanted to mention Jailbreak specifically  GitHub       Jailbreak      Jailbreak is a tool for exporting certificates marked as   non-exportable from the Windows certificate store  This can help when   you need to extract certificates for backup or testing  You must have   full access to the private key on the filesystem in order for   jailbreak to work       Prerequisites  Win32

User · Answer

Gentil Kiwi s answer is correct  He developed this mimikatz tool that is able to retrieve non-exportable private keys   However  his instructions are outdated  You need    Download the lastest release from https   github com gentilkiwi mimikatz releases Run the cmd with admin rights in the same machine where the certificate was requested Change to the mimikatz bin directory  Win32 or x64 version  Run mimikatz Follow the wiki instructions and the  pfx file  protected with password mimikatz  will be placed in the same folder of the mimikatz bin      mimikatz   crypto  capi   Local CryptoAPI patched        mimikatz   privilege  debug   Privilege  20  OK        mimikatz   crypto  cng    KeyIso  service patched        mimikatz   crypto  certificates  systemstore local machine  store my    export      System Store     local machine   0x00020000       Store            my          example domain local    nbsp  nbsp  nbsp  nbsp  nbsp Key Container    example domain local    nbsp  nbsp  nbsp  nbsp  nbsp Provider         Microsoft Software Key Storage Provider    nbsp  nbsp  nbsp  nbsp  nbsp Type             CNG Key  0xffffffff     nbsp  nbsp  nbsp  nbsp  nbsp Exportable key   NO    nbsp  nbsp  nbsp  nbsp  nbsp Key size         2048    nbsp  nbsp  nbsp  nbsp  nbsp Public export    OK -  local machine my 0 example domain local der     nbsp  nbsp  nbsp  nbsp  nbsp Private export   OK -  local machine my 0 example domain local pfx

User · Answer

This worked for me on Windows Server 2012 - I needed to export a non-exportable certificate to setup another ADFS server and this did the trick. Remember to use the jailbreak instructions above i.e.:

crypto::certificates /export /systemstore:CERT_SYSTEM_STORE_LOCAL_MACHINE

User · Answer

There is code and binaries available here for a console app that can export private keys marked as non-exportable, and it won't trigger antivirus apps like mimikatz will.

The code is based on a paper by the NCC Group. will need to run the tool with the local system account, as it works by writing directly to memory used by Windows' lsass process, in order to temporarily mark keys as exportable. This can be done using PsExec from SysInternals' PsTools:

Spawn a new command prompt running as the local system user:

PsExec64.exe -s -i cmd

In the new command prompt, run the tool:

exportrsa.exe

It will loop over every Local Computer store, searching for certificates with a private key. For each one, it will prompt you for a password - this is the password you want to secure the exported PFX file with, so can be whatever you want

[.net] How to export non-exportable private key from store

The answer is

BTW

Jailbreak

Examples related to .net

Examples related to encryption

Examples related to bouncycastle

Examples related to rsacryptoserviceprovider

Tags