Trick to Export Private Key from Certificate Request

I noticed something interesting today: I needed to generate a Code Signing certificate from a Windows 2003 CA Server.

However the default Code Signing Template does not allow us to export the private key. I found a nice trick however that enables us to request a code signing certificate WITH private key.

To do this I first needed to enable the Code Signing template on the CA Server. This can be done using the Certification Authority MMC Snap-in: right click on the Certificate Templates node and select New | Certificate Template to Issue | Code Signing:

image

 

Now open Internet Explorer and navigate to http://server/certsrv (where server is the CA Server of course) and click Request a certificate:

image

On the next page click advanced certificate request followed by Create and submit a request to this CA.

Notice that the Mark keys as exportable option cannot be selected (greyed out):

image

This matched with the template:

image

If we click OK (accepting the default options) a certificate will be generated:

image

Now click the Back button in Internet Explorer to go back to the previous page:

image

Let’s test if this really works, click "Mark keys as exportable", submit the request and click on Install this certificate:

image

Now open the Certificates MMC Snap-In and go to Personal | Certificates and export the new certificate.

As you can see we now have the option to export the private key:

image

Security Breach?
So where does this leave us, is it a security breach?

I don’t think so because without this trick we already get a certificate with private key, the only difference is that we are not able to export it.

So as far as I am concerned this is just a trick that can be used to quickly get a certificate with private key in the pfx format so we can easily feed it to signtool.

Was once an enthusiastic PepperByte employee but is now working elsewhere. His blogs are still valuable to us and we hope to you too.