Trick to Export Private Key from Certificate Request

I noticed something interesting today: I needed to generate a Code Signing certificate from a Windows 2003 CA Server.

However the default Code Signing Template does not allow us to export the private key. I found a nice trick however that enables us to request a code signing certificate WITH private key.

To do this I first needed to enable the Code Signing template on the CA Server. This can be done using the Certification Authority MMC Snap-in: right click on the Certificate Templates node and select New | Certificate Template to Issue | Code Signing:

 

Now open Internet Explorer and navigate to http://server/certsrv (where server is the CA Server of course) and click Request a certificate:

On the next page click advanced certificate request followed by Create and submit a request to this CA.

Notice that the Mark keys as exportable option cannot be selected (greyed out):

This matched with the template:

If we click OK (accepting the default options) a certificate will be generated:

Now click the Back button in Internet Explorer to go back to the previous page:

Let’s test if this really works, click “Mark keys as exportable”, submit the request and click on Install this certificate:

Now open the Certificates MMC Snap-In and go to Personal | Certificates and export the new certificate.

As you can see we now have the option to export the private key:

Security Breach?
So where does this leave us, is it a security breach?

I don’t think so because without this trick we already get a certificate with private key, the only difference is that we are not able to export it.

So as far as I am concerned this is just a trick that can be used to quickly get a certificate with private key in the pfx format so we can easily feed it to signtool.