Skip to content

Instantly share code, notes, and snippets.

Last active June 28, 2023 15:32
  • Star 17 You must be signed in to star a gist
  • Fork 6 You must be signed in to fork a gist
Star You must be signed in to star a gist
What would you like to do?
Extracting certs/private keys from certificates that disable private key exporting


  • I have to use a Windows client to install a certificate (say via the Magnum PKI Client)
  • I cannot export the private key for this certificate
  • I am a Linux user that needs to have the cert and private key

Solution (steps)

Install/export certificate using Windows VM

  1. Get yourself a Windows VM via
    • Make sure you set up a Shared Folder so you can bring files back over to Linux
  2. Install the certificate through the VM as needed
  3. In Internet Explorer, click the settings icon (looks like a gear) and choose "Internet Options"
  4. Click the "Content Tab"
  5. Click "Certificates"
  6. Click the certificate you installed (likely on the Personal tab) and click the "Export..." button
  7. Click "Next" through the next few prompts in the Certificate Export Wizard
  8. On the "File to Export" screen, click "Browse" and find a location (like your Desktop) to save the file to and give it a name
  9. Click "Next" and "Finish"
  10. Bring the certificate back over to Linux

Run mimikatz to get private key

  1. Download mimikatz - a tool that will extract the private key from installed certificates
  2. Extract the mimikatz files to a directory (you only need the Win32 folder)
  3. Run cmd.exe as an Administrator (you may need to navigate to C:\Windows\System32\ and right-click the cmd.exe file)
  4. Run the mimikatz.exe from the command prompt
  5. Run the following commands:
crypto::keys /export

You should have a .pvk (private key) file in the same directory as mimikatz.exe now—probably just the one you installed. If you see multiple private keys, you'll have to determine which one is the one you installed.

Convert PVK to PEM

You can convert the Windows proprietary ".pvk" file to a useful ".pem" file by using the following command:

openssl rsa -inform pvk -in YOUR_PRIVATE_KEY.pvk -outform pem -out YOUR_NEW_PRIVATE_KEY.pem


You now have a certificate with the private key that you can use to connect to a VPN or other networks that require certs/private keys. You can do a lot once you get this far. Check out some of the most common OpenSSL commands for a good list.

Sources & Resources

Copy link

Good stuff, thanks.
I've tried also doing the reverse (which I actually need), convert from the PEM output above back to PVK and that doesn't create the same output file as the original .pvk.

Is there something I'm missing to make that work?


Copy link

BTW, the reverse works (pem to pvk), if your openssl has the fips module and you add -pvk-strong as a parameter.
Took a while to find that, so could be helpful if anyone else needs that.


Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment