Export certificates marked as not exportable in the Windows certificate manager

So, you need the private key for a certificate on Windows, for some innocent snooping around with Wireshark, but someone marked it as not exportable. Now what?

Cue Gentil Kiwi and his tool Mimikatz.

For future reference for myself, I’ve archived a copy of the source here, and the binaries here.

The following commands will extract the certificates from the local store:

crypto::capi
crypto::certificates /systemstore=CERT_SYSTEM_STORE_LOCAL_MACHINE /export

The password for the pfx files is “mimikatz” (no quotes).

To convert a pfx to a pem file, you can do something like this:

openssl pkcs12 -in CERT_SYSTEM_STORE_LOCAL_MACHINE_nicecert.pfx -out cert.pem -nodes

If it’s for use in Wireshark, you also need to add -nocerts:

openssl pkcs12 -in CERT_SYSTEM_STORE_LOCAL_MACHINE_nicecert.pfx -out cert.pem -nodes -nocerts

Leave a Reply

Your email address will not be published. Required fields are marked *