Are "unexportable" certificates a real security measure or just security theater?

Recently I was working on recovering data from dead (bricked PSU) Windows XP machine, which included some client certificates installed into IE 6. I plugged in a temporary PSU and tried to export the certificate, only to be told that "these certificates are marked as non-exportable, and thus the private key can not be exported".

I've done some searching around the intertubes, however the only advices I could find were related to pre-install scenarios (ie. there is apparently an option which you can check during the installation to avoid this situation).

My questions would be:

  • Is this a real security measure? It seems to me that you can simply patch the verification logic in IE6 (or the CryptoAPI) and force the export of the certificate / private-key
  • Is there a ready-made tool to do this? (for backup purposes for example)

Exporting private keys on certificates that have been marked non-exportable? Uh, how about a tool called Jailbreak...


"Unexportable" means the private key is inaccessible to CryptExportKey(). It might be possible to patch CryptoAPI in memory, but I haven't found any references to it.

There also might be a way to load the registry "hive" in another system and either copy the certificates or edit the "unexportable" bit... but again, no such things on the googlenet.