I noticed something interesting today: I needed to generate a Code Signing certificate from a Windows 2003 CA Server.
However the default Code Signing Template does not allow us to export the private key. I found a nice trick however that enables us to request a code signing certificate WITH private key.
To do this I first needed to enable the Code Signing template on the CA Server. This can be done using the Certification Authority MMC Snap-in: right click on the Certificate Templates node and select New | Certificate Template to Issue | Code Signing:
Now open Internet Explorer and navigate to http://server/certsrv (where server is the CA Server of course) and click Request a certificate:
On the next page click advanced certificate request followed by Create and submit a request to this CA.
Notice that the Mark keys as exportable option cannot be selected (greyed out):
This matched with the template:
If we click OK (accepting the default options) a certificate will be generated:
Now click the Back button in Internet Explorer to go back to the previous page:
Let’s test if this really works, click "Mark keys as exportable", submit the request and click on Install this certificate:
Now open the Certificates MMC Snap-In and go to Personal | Certificates and export the new certificate.
As you can see we now have the option to export the private key:
So where does this leave us, is it a security breach?
I don’t think so because without this trick we already get a certificate with private key, the only difference is that we are not able to export it.
So as far as I am concerned this is just a trick that can be used to quickly get a certificate with private key in the pfx format so we can easily feed it to signtool.
Was once an enthusiastic PepperByte employee but is now working elsewhere. His blogs are still valuable to us and we hope to you too.