Marking private keys as non-exportable with certutil -importpfx
When importing a PFX-file with the certificate import wizard, you can choose if the private key should be exportable or not. Your choice is stored in the key storage property identifier that is key-storage specific. In other words, there is no information in the certificate about the exportability of the related private key. It is possible that if you import the same PFX-file into different computers that the private key is maked as exportable on one computer and is not marked as exportable on another.
To perform a PFX-file import at a command-line you may be familiar with the certutil -importPFX command. Since Windows Server 2003 SP1, certutil understands extra arguments to improve the PFX import.
Here is the abstract syntax:
certutil -importPFX {PFXfile} [NoExport|NoCert|AT_SIGNATURE|AT_KEYEXCHANGE]
To make the private key non-exportable, use the following command:
certutil -importPFX [PFXfile] NoExport
To just install the private key but not the certificate, use the NoCert argument. It can be combined with the NoExport argument.
certutil -importPFX [PFXfile] NoCert
There are two more arguments forcing AT_SIGNATURE or AT_KEYEXCHANGE. Both cannot be used in combination and may require a conversion to a RSA key.
certutil -importPFX [PFXfile] AT_SIGNATURE
certutil -importPFX [PFXfile] AT_KEYEXCHANGE
To combine multiple modifiers with one command, all modifiers must appear comma seperated as a single common line parameter. For example:
certutil -importPFX [PFXfile] "NoExport,AT_KEYEXCHANGE"
Comments
Anonymous
January 01, 2003
try certutil -user -p "Password" -importpfx "C:PFXFILENAME.pfx"Anonymous
January 01, 2003
There is a new version of mimikatz that also support CNG export :) (windows vista / seven / 2008 ...)
- download (and launch with administrative privileges) : blog.gentilkiwi.com/mimikatz (trunk version for last version)
- privilege::debug (or not if you're already system)
- crypto::patchcng (nt 6) and/or crypto::patchcapi (nt 5 & 6)
- crypto::exportCertificates and/or crypto::exportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE pfx files are passwords protected "mimikatz" Regards
Anonymous
January 01, 2003
As noted in this article Visual Studio 2005 cannot handle PKCS#12 files that hold several certificatesAnonymous
January 01, 2003
Through a recent migration we needed to move a large number of SSL certificates. After spending a lotAnonymous
January 01, 2003
The comment has been removedAnonymous
January 22, 2012
The comment has been removed- Anonymous
September 23, 2016
" -user " should appear before "-importpfx".
- Anonymous
Anonymous
February 05, 2015
> (blah blah blah, Windows has no security...)
> ...
> launch with administrative privileges
So - in other words, to pwn the machine, you need to... pwn the machine ALREADY? :D
http://blogs.msdn.com/b/oldnewthing/archive/2007/09/20/5002739.aspx