Exporting unexportable certificates

You sometimes run into cases where a certificate was imported by another sysadmin and he forgot to check the option to export the private key. If you want to export the certificate together with the private key the option would be greyed out.

Pic1-notexportable

Unless you have access to the original certificate there is no Windows built-in method to retrieve the certificate. Mimikatz is a nice program that hooks into the Windows NT APIs and allows you to export unexportable certificate.

To do so, run the following commands:

mimikatz
crypto::capi
crypto::certificates /export

image

 

You will see that mimikatz has exported all certificates with the ones having a private key with a pfx extension as well. The pfx certificates are protected with the password “mimikatz

image

 

You will now be able to import the pfx certificate and check the option to allow the export of the private key.

Resources

  • Mimikatz on GitHub page
  • Mimikatz blog page
  • Metasploit page for Mimikatz