The Certificate that wouldn’t move

I have been working a lot with SSL certificates lately. The other day I had to move a certificate from Windows to Linux server, the certificate is for both www and without. It´s a simple task to export the certificate from Windows server 2012R2 and then convert the certificate so it works on Apache. Except that the CSR was done without the “Export private key” checkbox. Bummer

I thought that there must be a way to change that, after all I am Domain Administrator. Nope, there is no easy way to go around this. After a long time of googling I come over something that a thought was worth sharing.

I found a great tool! Mimikatz

http://blog.gentilkiwi.com/mimikatz

This tool can read out the key via Windows API, and a lot more!

Together with the instructions from this blog

http://blog.ruecker.fi/2014/03/12/exporting-the-not-exportable/

Download the binaries at extract the files. Start a command shell as administrator and run the 64bit version of mimikatz.exe

In the prompt just past in the following lines:

crypto::capi
crypto::certificates /systemstore=CERT_SYSTEM_STORE_LOCAL_MACHINE /export

This will export all certs on the server. The password for the exported certificates is: mimikatz

This tool can do a lot more terrifying things, for example find passwords in clear text

privilege::debug
sekurlsa::logonpasswords

Leave a Reply

Your email address will not be published.