Export a certificate that does not allow the private key to be exported from a Windows Server

I recently had a client who inadvertently created and completed a certificate request on a Windows Server that did not allow the private key of the certificate to be exported and needed it to be exported with the private key so it could be placed on another server.

93

While this is likely a common issue, I haven’t personally come across it so wasn’t familiar with the options available. A quick search on the internet returned a few different methods and the first one I tried actually triggered the antivirus to block the utility. The second method I found ended up working so this post serves to demonstrate the process.

Begin by downloading the following Exporting Non-Exportable RSA Keys utility from GitHub:

https://github.com/luipir/ExportNotExportablePrivateKey/tree/fca10bf0807fe8160502d448d22537e499c3c8d5

92

As well as the following well known PsTools:

https://docs.microsoft.com/en-us/sysinternals/downloads/pstools

91

Unpack exportrsa utility and PsTools into the directories of your choice on the server with the certificate to be exported with the private key, launch the command prompt as an administrator, change the directory to where PsTools was unpacked and execute:

PsExec64.exe -s -i cmd

90

Change the directory to where exportrsa was unpacked and execute exportrsa.exe in the exportrsarelease folder:

89

The utility will cycle through certificates found in the Local Computer certificate an allow you to export the private key:

88

The exported PFX will be placed in the exportrsa.exe directory:

87

6 Responses

  1. Thanks a lot for this tutorial, it works exactly as you describe and helped me a lot to export a certificate that was marked as un-exportable!

  2. Why the hell does MS allow this. An other hole in the Windows system, this way everybody with admin right can steal your private key,

  3. It does not work if the keys are password protected, so eventually, you may be able to circumvent the flag, but not the password protection. So if you do not know the password, you will not be able to get any content into the file and the pfx file will be 0 bytes.

  4. Most of this is not necessary. Skip the PSEXEC part.

    Just run exportrsa.exe from admin command prompt.

    If you get an error about msvcr100d.dll or nothing happs, install vcredist_x86_2010.exe (google it as a link will change).

    That's from the github instructions.