Extracting non-exportable Windows certificate

Say you want to get WiFi AES or EAP working on another machine.

  1. Get mimikatz
  2. Boot into recovery holding F8 to disable any and all malware checkers. if you need machne keys and know the local admin password pick without network, else with network (to log into a domain). Note that the network mode may hook in some of the malware check kernel drivers.
  3. Run mimikatz

    crypto::capi privilege::debug crypto::cng crypto::certificates /export crypto::certificates /export /systemstore:CERT_SYSTEM_STORE_LOCAL_MACHINE crypto::keys /export crypto::keys /machine /export

The certs and keys will be in the same folder. Get the CA public certs too, you might need them for the WPA2-TLS (type 13) verification. You need the cert that signed the private cert, and the certs up the chain.

Note To export certificate for another locall user first find out the security identifier for the user. Type the command as is, useraccount is useraccount wmic useraccount get name,sid Then list all user stores, to make sure you have it crypto::stores /systemstore:users and export the “my” store for the user crypto::certificates /export /systemstore:users /store:S-1-xx-xx-xxxxx\My

Convert pfx to pem PFX contains private and public keys openssl pkcs12 -in CERT_SYSTEM_STORE_LOCAL_MACHINE_My_X_FOO_Bar.pfx -out keyStore.pem The password for the pfx files is mimikatz. To export private key unencrypted use -nodes. For just the private key export, without the public use -nocerts

Convert pvk to pem openssl rsa -inform pvk -in key.pvk -outform pem -out key.pem

Convert der to pem openssl x509 -inform der -in certificate.cer -out certificate.pem