Converting private key in windows store to PEM (for OpenSSL)

Question

I want to get a private key from windows store and convert it to PEM in order to use it in OpenSSL. I've been looking for a way to do that for a few hours!

• I use CertFindCertificateInStore() to get CERT_CONTEXT (which I know it contains the private key using the search parameter).
• Next, I used CryptAcquireCertificatePrivateKey() to get HCRYPTPROV (just because of the name of the function).
• Now, I use CryptGetUserKey() to get HCRYPTKEY (just because it sounds right...?!)

But now I'm stuck again.

I think this is security by obscurity done by Microsoft to make sure we will never be able to get private keys.

Answer 1

First two are fine. But you need to use CryptExportPKCS8. It will export the private key to a buffer in PKCS #8 DER encoded form. From PKCS #8, you can get it into X509 structure of OpenSSL (by using d2i functions and memory buffer as input in BIO structures).

However, if the private key is marked as non-exportable, this function will fail.

Only use you can do is to sign the data using such private key.

Answer 2

I'm leaving the answer as it is (after all without dbasic I would've been stuck :-)), but I have more to add:

CryptExportPKCS8() end of support ended with XP/2003, so we have to use PFXExportCertStoreEx() , however this function exports the WHOLE store. So, in order to export just one certificate you need to use a memory store.

Check out this example on how to do that: http://msdn.microsoft.com/en-us/library/windows/desktop/aa382037(v=vs.85).aspx

Insert the certificate you want into the memory store, and then use PFXExportCertStoreEx() to export what you need.