I want to get a private key from windows store and convert it to PEM in order to use it in OpenSSL.
I've been looking for a way to do that for a few hours!
- I use CertFindCertificateInStore() to get CERT_CONTEXT (which I know it contains the private key using the search parameter).
- Next, I used CryptAcquireCertificatePrivateKey() to get HCRYPTPROV (just because of the name of the function).
- Now, I use CryptGetUserKey() to get HCRYPTKEY (just because it sounds right...?!)
But now I'm stuck again.
I think this is security by obscurity done by Microsoft to make sure we will never be able to get private keys.
First two are fine. But you need to use CryptExportPKCS8. It will export the private key to a buffer in PKCS #8 DER encoded form. From PKCS #8, you can get it into X509 structure of OpenSSL (by using d2i functions and memory buffer as input in BIO structures).
However, if the private key is marked as non-exportable, this function will fail.
Only use you can do is to sign the data using such private key.
I'm leaving the answer as it is (after all without dbasic I would've been stuck :-)), but I have more to add:
CryptExportPKCS8() end of support ended with XP/2003, so we have to use PFXExportCertStoreEx() , however this function exports the WHOLE store. So, in order to export just one certificate you need to use a memory store.
Check out this example on how to do that:
http://msdn.microsoft.com/en-us/library/windows/desktop/aa382037(v=vs.85).aspx
Insert the certificate you want into the memory store, and then use PFXExportCertStoreEx() to export what you need.