Categorie: PKI

Categorieën
Microsoft CA PKI

How to export “non-exportable” certificates from the Microsoft Certificate Store

Recently I found a tool that allows you to search and export certificates from the Microsoft certificate store that are marked as non-exportable. Although this program can be considered a hack-tool and might not work after Microsoft has released a patch for it, it is still a very powerful tool.

The program that allows you to do this is called mimikatz and is available for download using the link below:

http://blog.gentilkiwi.com/downloads/mimikatz_trunk.7z

Apart from exporting certificates, this tool can do a lot more interesting stuff such as dumping windows logon passwords in clear texts, inject programs or services and edit GPO settings. Some of these functions will be discussed in other articles but for now, let export some certificates. To do so follow the steps below:

  • Check you have a certificate in your personal user or computer store that is marked as not exportable:

check nonexportable

  • Download and unpack the mimikatz tool using the link mentioned earlier
  • Open a command prompt and browse to the directory where you have unpacked mimikatz and start the 32bit or 64 bit version
  • Run the following command to list the certificates in your certificate stores:

Crypto::exportCertificates

crypto-export-KO

  • Check that the certificate you have identified in step 1 is listed and that the .pfx output shows KO. This is to verify that the certificate is indeed not exportable (yet).
  • To change the .pfx status you must apply the priviledge::debug command and run the CAPI & CNG patches . You do this by executing the following commands:

Privilege::debug

Crypto::patchcng

Crypto::patchcapi

Raise prviledges patch capi

Cappatch

  • Now run the Crypto::exportCertificates command again and check that the .pfx status shown earlier has changed to OK

crypto-export-OK

  • Finally you only need to browse to the directory where you are running the mimikatz tool from and check it has exported a .pfx file with the name of the certificate you have identified during step 1.

listed

  • Now you are able to copy the .pfx file to another machine and install it. Make note that the .pfx files are protected with mimikatz as password

Import pfx

Categorieën
OpenSSL

Create a PFX file containing the intermediate CA certificate using OpenSSL on Windows

Most private and public CA’s sign certificate requests with an Intermediate Certificate Authority.

See example below of a certificate signed by Thawte:

cert signed by intermediate

Sometimes you will have to add such a signed certificate on a sever or appliance on which you are unable to import the Intermediate Certificate Authority certificate.

In such a case I like to use OpenSSL to create a custom .pfx file that contains the Intermediate CA’s public certificate. OpenSSL is an open source application and is also available for Windows Platform.

To get your own  copy browse to the following link and download the  Win32 OpenSSL v0.9.8y Light or Win64 OpenSSL v1.0.0k Light depending on your Windows version.

Once you have installed OpenSSL you are able to create a custom .pfx file using one of following procedures:

  • If you have access to the private “.key” and public certificate “.cer” follow procedure 1
  • If you have access to the original.pfx file, follow procedure 2

Procedure 1

  • Download the intermediate CA’s public certificate

–          Open your signed .cer file

–          Select the Intermediate CA certificate

–          Click “View Certificate”

–          Click on “Details” and select “Copy to file”

–          Select Base-64 encoded x.509

–          Save the .cer file

  • Open a CMD prompt with administrative rights
  • Browse to your OpenSSL directory
  • Startup OpenSSL
  • Create a custom .pfx file including the intermediate CA’s public certificate

custom pfx

pkcs12 -export -out webmail-xxxxxx-nl.pfx -inkey webmail- xxxxxx -nl.key -in webmail- xxxxxx -nl.cer -certfile ThawteDVSSLCA.cer

–          Provide the current .key password  and new one for the .pfx file (these can be the same)

  • Import the created .pfx file on you server/appliance

Procedure 2

If you have access to the original .pfx file you will first need to export the .key file. In order to do so you must have* access to the .pfx password. *If you don’t checkout my article on non-exportable certificates ;-).

  • Download the intermediate CA’s public certificate

–          Open your signed .cer file

–          Select the Intermediate CA certificate

–          Click “View Certificate”

–          Click on “Details” and select “Copy to file”

–          Select Base-64 encoded x.509

–          Save the .cer file

  • Open a CMD prompt with administrative rights
  • Browse to your OpenSSL directory
  • Startup OpenSSL
  • Export the .key file from the orginal .pfx file

export.key

pkcs12 -in webmail-xxxxxxx.pfx -nocerts -out webmail- xxxxxxx -nl.key

-Provide the current .pfx password  and a new one for the .key file (these can be the same)

  • Create a custom .pfx file including the intermediate CA’s public certificate

custom pfx

pkcs12 -export -out webmail-xxxxxx-nl.pfx -inkey webmail- xxxxxx -nl.key -in webmail- xxxxxx -nl.cer -certfile ThawteDVSSLCA.cer

-Provide the current password of the .key file and new one for the .pfx file (these can be the same)

  • Import the created .pfx file on you server/appliance
Categorieën
OpenSSL

Create selfsigned certificates using OpenSSL on Windows

Sometimes you find yourself in the need to create a SSL certificate when there is no CA available.

In those cases I like to use OpenSSL. OpenSSL is an open source application and is also available for Windows Platform.

To get your own  copy browse to the following link and download the  Win32 OpenSSL v0.9.8y Light or Win64 OpenSSL v1.0.0k Light depending on your Windows version.

Once you have installed OpenSSL creating a selfsigned certificate can be achieved following the below steps:

  • Open a CMD prompt with administrative rights
  • Browse to your OpenSSL directory

OpenSSL Browse to directory

  • Startup OpenSSL

Start-up OpenSSL

  • Create a certificate request and your own private key

req -out rootsecurity.csr -new -newkey rsa:2048 -nodes -keyout rootsecurity.key

Create .csr & .key

  • Provide your country code
  • Provide your Province or State name
  • Provide your City name
  • Provide your Company name
  • Provide a OU name
  • Provide the Common Name! This is the name you like the certificate to use!
  • Optional provide Email address
  • Optional provide a challenge password
  • Optional provide an optional company name

Create .csr & .key - 2

  • Click enter
  • Check you have both a .csr and .key file within the OpenSSL\bin directory

Check .csr & .key

  • Sign your .csr file using your privatekey (In this example the certificate will expire in 365 days)

x509 -req -days 365 -in rootsecurity.csr -signkey RootSecurity.key -out rootsecurity.cer

Sign request

  • Check you have a .cer file within the OpenSSL\bin directory and see it created with the expected common name en expiration date

7

8

  • Create a PFX file by combining the .cer and .key files.

pkcs12 -export -out rootsecurity.pfx -inkey RootSecurity.key -in rootsecurity.cer

Create . pfx file

  • Provide an export password
  • Check you have a .pfx file within the OpenSSL\bin directory

Check .pfx