- I have to use a Windows client to install a certificate (say via the Magnum PKI Client)
- I cannot export the private key for this certificate
- I am a Linux user that needs to have the cert and private key
- Get yourself a Windows VM via modern.ie
- Make sure you set up a Shared Folder so you can bring files back over to Linux
- Install the certificate through the VM as needed
- In Internet Explorer, click the settings icon (looks like a gear) and choose "Internet Options"
- Click the "Content Tab"
- Click "Certificates"
- Click the certificate you installed (likely on the Personal tab) and click the "Export..." button
- Click "Next" through the next few prompts in the Certificate Export Wizard
- On the "File to Export" screen, click "Browse" and find a location (like your Desktop) to save the file to and give it a name
- Click "Next" and "Finish"
- Bring the certificate back over to Linux
- Download mimikatz - a tool that will extract the private key from installed certificates
- Extract the mimikatz files to a directory (you only need the Win32 folder)
- Run cmd.exe as an Administrator (you may need to navigate to C:\Windows\System32\ and right-click the cmd.exe file)
- Run the mimikatz.exe from the command prompt
- Run the following commands:
privilege::debug crypto::capi crypto::keys /export
You should have a .pvk (private key) file in the same directory as mimikatz.exe now—probably just the one you installed. If you see multiple private keys, you'll have to determine which one is the one you installed.
You can convert the Windows proprietary ".pvk" file to a useful ".pem" file by using the following command:
openssl rsa -inform pvk -in YOUR_PRIVATE_KEY.pvk -outform pem -out YOUR_NEW_PRIVATE_KEY.pem
You now have a certificate with the private key that you can use to connect to a VPN or other networks that require certs/private keys. You can do a lot once you get this far. Check out some of the most common OpenSSL commands for a good list.