I noticed something interesting today: I needed to generate a Code Signing certificate from a Windows 2003 CA Server.
However the default Code Signing Template does not allow us to export the private key. I found a nice trick however that enables us to request a code signing certificate WITH private key.
To do this I first needed to enable the Code Signing template on the CA Server. This can be done using the Certification Authority MMC Snap-in: right click on the Certificate Templates node and select New | Certificate Template to Issue | Code Signing:
Now open Internet Explorer and navigate to http://server/certsrv (where server is the CA Server of course) and click Request a certificate:
On the next page click advanced certificate request followed by Create and submit a request to this CA.
Notice that the Mark keys as exportable option cannot be selected (greyed out):
This matched with the template:
If we click OK (accepting the default options) a certificate will be generated:
Now click the Back button in Internet Explorer to go back to the previous page:
Let’s test if this really works, click "Mark keys as exportable", submit the request and click on Install this certificate:
Now open the Certificates MMC Snap-In and go to Personal | Certificates and export the new certificate.
As you can see we now have the option to export the private key:
So where does this leave us, is it a security breach?
I don’t think so because without this trick we already get a certificate with private key, the only difference is that we are not able to export it.
So as far as I am concerned this is just a trick that can be used to quickly get a certificate with private key in the pfx format so we can easily feed it to signtool.