stackoom
  简体   繁体   中英

Retrieving private key from USB EV certificate

 原文  2022-05-26 13:28:55       powershell/ certificate/ code-signing/ cryptoapi/ pfx

Question

I'm trying to use PowerShell to extract a private key from a certificate stored in the personal store. This is an EV Code signing certificate that came with the key on a USB device.

Most of the tools I've found seem related to Local Machine certificates and are not working, and I hit on the steps in this post: https://hope.mx/2019/recovering-a-certificate-where-the-private-key-is-marked-as-non-exportable/

I tried to use those steps:

PS Cert:\CurrentUser\My> $a = Get-Item Cert:\CurrentUser\My\A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0

PS Cert:\CurrentUser\My> $a.PrivateKey.CspKeyContainerInfo


MachineKeyStore        : False
ProviderName           : eToken Base Cryptographic Provider
ProviderType           : 1
KeyContainerName       : te-cd6cd72c-da9c-4862-b02d-419e7ac19123
UniqueKeyContainerName : te-cd6cd72c-da9c-4862-b02d-419e7ac19123
KeyNumber              : Exchange
Exportable             : False
HardwareDevice         : True
Removable              : True
Accessible             : True
Protected              : True
CryptoKeySecurity      :
RandomlyGenerated      : False

It was my understanding that I should be able to find that file under C:\ProgramData\Microsoft\Crypto\RSA, but it is not there and in fact none of the files in the RSA directories even start with "te-"

Does that value really represent the name of the private key file someplace in the system? If so, where?

2 answers

solution1
 0  2022-05-26 16:44:22

Does that value really represent the name of the private key file someplace in the system?

Yes

If so, where?

$a.Thumbprint is the unique container where the key file is stored.

This corresponds to %APPDATA%\Microsoft\SystemCertificates\My\Certificates

This should be a good start to what you're looking for.

    #!/usr/bin/env powershell
$a = Get-Item -Path Cert:\CurrentUser\My\10EDAD11F3A6F39FBA5E38A2480D96979D33ABD0

$thumb = $a.Thumbprint
$path = "$env:APPDATA/Microsoft/SystemCertificates/My/Certificates/" + $thumb
Write-Output -InputObject $path
Test-Path -Path $path
& "$env:windir/system32/certutil.exe" $path

I've taken some info from here.

solution2
 0  2022-06-07 12:00:21

It is a token (hardware device) that was built to protect the private key - which means it shall not be exported. Sorry to say: You cannot.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Importing Certificate with private key Retrieving SSL certificate from Azure key vault to Azure app service Azure Key Vault download certificate with private key KeyVault generated certificate with exportable private key Extract private key from pfx file or certificate store WITHOUT using OpenSSL on Windows How to Grant permission to user on Certificate private key using powershell? Export Certificate with private key including all certificates in path using powershell Powershell Generated Self Signed Certificate Doesn't Include Private Key When is the private key generated in the SSL certificate request process? Powershell Email format and retrieving CN from Certificate subject
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM