Say you want to get WiFi AES or EAP working on another machine.
Boot into recovery holding F8 to disable any and all malware checkers. if you need machne keys and know the local admin password pick without network, else with network (to log into a domain). Note that the network mode may hook in some of the malware check kernel drivers.
crypto::capi privilege::debug crypto::cng crypto::certificates /export crypto::certificates /export /systemstore:CERT_SYSTEM_STORE_LOCAL_MACHINE crypto::keys /export crypto::keys /machine /export
The certs and keys will be in the same folder. Get the CA public certs too, you might need them for the WPA2-TLS (type 13) verification. You need the cert that signed the private cert, and the certs up the chain.
To export certificate for another locall user first find out the security identifier for the user. Type the command as is, useraccount is
wmic useraccount get name,sid
Then list all user stores, to make sure you have it
and export the “my” store for the user
crypto::certificates /export /systemstore:users /store:S-1-xx-xx-xxxxx\My
Convert pfx to pem
PFX contains private and public keys
openssl pkcs12 -in CERT_SYSTEM_STORE_LOCAL_MACHINE_My_X_FOO_Bar.pfx -out keyStore.pem
The password for the pfx files is mimikatz.
To export private key unencrypted use
-nodes. For just the private key export, without the public use
Convert pvk to pem openssl rsa -inform pvk -in key.pvk -outform pem -out key.pem
Convert der to pem openssl x509 -inform der -in certificate.cer -out certificate.pem