Are "unexportable" certificates a real security measure or just security theater?

backup certificate windows-xp internet-explorer export

Recently I was working on recovering data from dead (bricked PSU) Windows XP machine, which included some client certificates installed into IE 6. I plugged in a temporary PSU and tried to export the certificate, only to be told that "these certificates are marked as non-exportable, and thus the private key can not be exported".

I've done some searching around the intertubes, however the only advices I could find were related to pre-install scenarios (ie. there is apparently an option which you can check during the installation to avoid this situation).

My questions would be:

  • Is this a real security measure? It seems to me that you can simply patch the verification logic in IE6 (or the CryptoAPI) and force the export of the certificate / private-key
  • Is there a ready-made tool to do this? (for backup purposes for example)

Exporting private keys on certificates that have been marked non-exportable? Uh, how about a tool called Jailbreak...


"Unexportable" means the private key is inaccessible to CryptExportKey(). It might be possible to patch CryptoAPI in memory, but I haven't found any references to it.

There also might be a way to load the registry "hive" in another system and either copy the certificates or edit the "unexportable" bit... but again, no such things on the googlenet.

Related

Move VMware Server 2.0 Image to ESXi
Running gdb on Ubuntu 9.10 Apache2 Install
Bash Scripting: Parse File Contents Into Array
Linux or OS X Server?
wildcard ssl certificate - exchange 2010 - POP/IMAP problem
Syslog-ng: how to log severity/facility?
Can I get AD to authenticate via another LDAP server?
recommend firewall options for a dedicated server
Why am I getting an overflowerror in Python?
Ensuring compilation error while passing null pointer to a function
Two almost identical functions using STArray: why does one requires FlexibleContexts, and the other does not?
How to route programmatically in SvelteKit?