Are "unexportable" certificates a real security measure or just security theater?
Recently I was working on recovering data from dead (bricked PSU) Windows XP machine, which included some client certificates installed into IE 6. I plugged in a temporary PSU and tried to export the certificate, only to be told that "these certificates are marked as non-exportable, and thus the private key can not be exported".
I've done some searching around the intertubes, however the only advices I could find were related to pre-install scenarios (ie. there is apparently an option which you can check during the installation to avoid this situation).
My questions would be:
- Is this a real security measure? It seems to me that you can simply patch the verification logic in IE6 (or the CryptoAPI) and force the export of the certificate / private-key
- Is there a ready-made tool to do this? (for backup purposes for example)
Exporting private keys on certificates that have been marked non-exportable? Uh, how about a tool called Jailbreak...
"Unexportable" means the private key is inaccessible to CryptExportKey()
. It might be possible to patch CryptoAPI in memory, but I haven't found any references to it.
There also might be a way to load the registry "hive" in another system and either copy the certificates or edit the "unexportable" bit... but again, no such things on the googlenet.