mimikatz : Export non-exporteable Private certificate from Symantec PKI

Recently our organization started to provision Private certificates using Symantec Managed PKI Service. It has lot more appeal for IT admins because it takes out all user intervention which always creates support nightmares.

Previously I had direct access to the private key so it was easy to export it to all my devices and use for VPN and other secure stuff that needed to verify that I am indeed the real user. Because Symantec PKI is not available for Linux, it broke the VPN access from my Ubuntu system. Naturally I started to look for ways to export the key out of windows system. So here is what I did to get me out of the bind.

How to export certificates

First I installed Symantec PKI client on a windows 7 system. That was a no brainer because there was no other choice. I did not try with Windows 8 so YMMV. The main issue was that Windows certificate manager showed that the private key was not exportable. If it was then my quest would have been over right there. But I had to take another step. Mimikatz was the answer which marks them exportable and also allows to export them. Note: The patching that it does only lasts for that session. Once you reboot windows system you have to patch again using mimikatz. I used latest version which is 2.0 at the writing of this post.

So download the zip file of latest version and unzip it. It will create two directories one for each chip architecture. Then open a command prompt. Go to the directory where zip file was extracted and then to your system architecture directory. Mine was x64. Then run mimikatz from the directory which will show the prompt on which you type next two commands. The last one will export all certificates from the store. You can export only the ones you need by using different flags. But it is lot more easier to export all and then choose only the one that is needed.

cd Desktop\x64
mimikatz
crypto::capi
crypto::certificates /export

Close the terminal and that folder where mimikatz was run has all the exported certificates. To secure private key mimikatz adds a password which again is “mimikatz”.

How to secure exported certs (or reset password)

Default password for exported keys is “mimikatz”. First thing you want to do is secure the private key. Get the files that have private certificate to a system with openssl (Which will be .pfx file). I got it to my Ubuntu laptop. Run following on the private certificate to setup a new password of your choice.

vishalj@dreams:~/Documents> openssl pkcs12 -des3 -in <original pfx file> -out <new pfx file>
Enter Import Password:
MAC verified OK
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
vishalj@dreams:~/Documents>

This will ask you the import password which is “mimikatz”. Then it will ask you for the new password and will create the new pfx file. You can now remove the original one exported by mimikatz. Save the new .pfx file as your private certificate to a safe location and export to the devices where you want to use it.

Using with OpenConnect

You can use the .pfx file as is with OpenConnect client. I use a script (instead of Network Manager OpenConnect client) because that provides me more flexibility for setting up Split Tunnel. I tested the .pfx file both ways and it works flawlessley.

That’s all folks.