Views:

Overview

If a Windows machine that has security certificates becomes inaccessible, it is still possible to export those certificates from the registry if you can recover registry files from backup or from a disk drive.

Certificate information for the machine is stored in the following registry key:

HKLM\SOFTWARE\Microsoft\SystemCertificates\[app name]\Certificates

There may also be user-specific certificates stored in the HKCU\SOFTWARE\Microsoft; the process for extracting them is exactly the same.

Prerequisites

To perform tasks in this article, you will need a text editor (Notepad will do), a Hex editor (🔗download HxD, a free editor), command-line ready to run certutil, and Certificate Manager admin console (certmgr.msc). The automation portion requires PowerShell.

Certificate Extraction

Load the registry file in a text editor and locate certificate store. The section containing the certificates will look something like this:

[HKEY_LOCAL_MACHINE\UserN\SOFTWARE\Microsoft\SystemCertificates\AddressBook\Certificates]

[HKEY_LOCAL_MACHINE\UserN\SOFTWARE\Microsoft\SystemCertificates\AddressBook\Certificates\23DD6EDF7724AD6D77311E70BE141BB63DE144E5]
"Blob"=hex:03,00,00,00,01,00,00,00,14,00,00,00,23,dd,6e,df,77,13,ad,6d,77,31,\
  1e,70,be,14,1b,b6,3d,e1,44,e5,20,00,00,00,01,00,00,00,08,05,00,00,30,82,05,\
  04,30,82,03,ec,a0,03,02,01,02,02,03,17,c0,91,30,0d,06,09,2a,86,48,86,f7,0d,\
  01,01,0b,05,00,30,5d,31,0b,30,09,06,03,55,04,06,13,02,55,53,31,18,30,16,06,\
  03,55,04,0a,0c,0f,55,2e,53,2e,20,47,6f,76,65,72,6e,6d,65,6e,74,31,0c,30,0a,\
  06,03,55,04,0b,0c,03,44,6f,44,31,0c,30,0a,06,03,55,04,0b,0c,03,50,4b,49,31,\
  18,30,16,06,03,55,04,03,0c,0f,44,4f,44,20,45,4d,41,49,4c,20,43,41,2d,34,39,\
  30,1e,17,0d,31,39,30,38,31,32,30,30,30,30,30,30,5a,17,0d,32,32,30,38,30,38,\
  32,33,35,39,35,39,5a,30,81,83,31,0b,30,09,06,03,55,04,06,13,02,55,53,31,18,\
  30,16,06,03,55,04,0a,13,0f,55,2e,53,2e,20,47,6f,76,65,72,6e,6d,65,6e,74,31,\
  0c,30,0a,06,03,55,04,0b,13,03,44,6f,44,31,0c,30,0a,06,03,55,04,0b,13,03,50,\
  4b,49,31,13,30,11,06,03,55,04,0b,13,0a,43,4f,4e,54,52,41,43,54,4f,52,31,29,\
  30,27,06,03,55,04,03,13,20,48,41,44,44,4f,58,2e,56,49,43,54,4f,52,49,41,2e,\
  52,45,4e,45,45,2e,31,32,38,33,31,35,34,36,30,39,30,82,01,22,30,0d,06,09,2a,\
  86,48,86,f7,0d,01,01,01,05,00,03,82,01,0f,00,30,82,01,0a,02,82,01,01,00,d2,\
  d5,a1,6e,8a,92,2e,53,23,77,99,c9,aa,b5,c2,fe,94,ae,ee,c9,1b,78,23,54,67,ba,\
  e8,af,30,de,cf,b7,91,26,f4,dd,e0,ce,be,10,af,4b,03,60,3d,71,78,8e,2f,e2,26,\
  be,c5,79,d0,8c,9a,fc,d5,56,1f,30,1a,46,76,c1,dd,aa,fb,10,df,8c,19,e7,65,03,\
  d2,59,c4,47,54,79,13,0c,32,34,7f,f3,f5,6e,80,10,ff,0d,b4,dd,de,4f,e8,f2,04,\
  14,b6,64,a6,e1,10,29,10,d8,7b,23,8b,55,d9,81,8d,ef,98,51,9d,da,0b,84,a8,6a,\
  60,71,3e,79,55,42,4d,6e,xx,xx,xx,xx,13,3c,a2,3a,69,de,ac,c6,60,a8,0c,3b,2e,\
  2f,3f,ef,c4,f0,15,e9,07,xx,xx,xx,xx,65,bc,85,31,9c,03,b0,af,db,06,92,3f,ad,\
  13,3c,7e,39,ee,56,6e,8d,xx,xx,xx,xx,bf,56,19,63,72,60,dd,8d,aa,1d,80,b4,94,\
  ...

Note that the hex above has been modified from its original, so it will not produce a valid certificate and won't load in a Hex editor without errors.


Copy text after hex: and until the end of the block and paste it into your Text editor (Notepad). Remove trailing backslashes (\), spaces, and commas from the copied text. Paste the resulting block of text into a new file in your Hex editor. Save the file (I used the GUID from the registry key as the file name) with a .cer extension: 23DD6EDF7724AD6D77311E70BE141BB63DE144E5.cer.

After the file is saved switch to your command prompt and run:

certutil -encode 23DD6EDF7724AD6D77311E70BE141BB63DE144E5.cer enc-23DD6EDF7724AD6D77311E70BE141BB63DE144E5.cer
certutil -dump enc-23DD6EDF7724AD6D77311E70BE141BB63DE144E5.cer

The resulting certificate cannot be used until you follow at least the next step - two steps if you need to transfer it to another computer.

Now open Certificate Manager admin console (run certmgr.msc) and under Other People, choose All Tasks > Import. Place it where it chooses (Other People). I'm suggesting Other People as the location for imported certificates because it should be empty by default, making it easier to identify imported certs. If you choose Personal, you'll have to find the imported certificates among dozens of others.

Now you can right-click the imported cert, and export it as PKCS#12, including private key and all certs in the path if that is included in the certificate. The resulting export can then be used properly.

Automation

We can semi-automate the export of multiple certificates. If you generate multiple .cer files and place them in a directory, the following PowerShell command will save you some steps:

#get listing of certificates in current directory
$certs = get-childitem .

#iterate the list of certs and create .cer files ready for import into cert mgr console
$certs | %{ $n = $_.name; $n1 = "enc-{0}" -f $n; certutil -encode $n $n1; certutil -dump $n1 }

Additional opportunities for automation:

  1. Automatic extraction of text from .reg file
  2. Automatic clean-up of text to remove commas, trailing \, and spaces
    1. Shortcuts are your friend! even without automation, CTRL+H and TAB key on the keyboard can make this task more efficient
  3. Saving of the .cer file with hex data extracted from registry text
Keywords: certificate,registry,hex,powershell,certutil,recover,restore