4

I have a Windows Server 2012 R2 Enterprise Root Certification Authority on a Hyper-V virtual machine which, due to currently unkown reasons, doesn't boot anymore.

I don't know if the VM will ever come back online, but what I know is, I have its virtual disk and it seems to be undamaged; I can mount it on another system and access all of its contents.

I'd like to rebuild the CA on a new virtual machine, and I'm accustomed to this process, having performed lots of CA migrations before; I know where to find the Certification Authority database (C:\Windows\system32\certlog), and how to copy it over to a newly-built CA.

What I don't know is, where is the CA's root certificate stored? I'll need its private key in order to rebuild the CA, but I don't know where to find it on the failed CA's virtual disk.

Community
  • 1
Massimo
  • 68,714
  • 56
  • 196
  • 319
  • 2
    I may convert this to an answer in a bit, if I can verify it, but it appears (based on checking against the couple of root CAs I set up for my employer) that the private key for the root certificate is located in the same place as [the other private keys: `C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys`](http://msdn.microsoft.com/en-us/library/aa717039.aspx). There doesn't seem to be a simple way to match up a private key from this location to the public key on a non-working machine, but for my CAs, the timestamps on the public and private key match up. – HopelessN00b Dec 12 '14 at 17:14
  • If that is actually the right place where to look, and assuming it is possible to locate the right file... then, in what format is that key stored? How can it be imported on another machine, so that it may be selected as an existing private key when building the new CA? – Massimo Dec 12 '14 at 17:20
  • That's what I'm working on. As CryptoGuy's answer states, it (and the entire folder, in fact) are encrypted by Microsoft's Data Protection API. But that uses a symmetric key, which also has to be stored somewhere, so I'm trying to see if I can figure out a way to decrypt the file I believe to be my CA's private key. – HopelessN00b Dec 12 '14 at 17:31

1 Answers1

4

You can't recover CA key from offline machine. There are two reasons:

  1. Reference to a key is somewhat complicated, therefore it is hard to find the actual private key file name. In your case, private key file is located in: %ALLUSERSPROFILE%\Application Data\Microsoft\Crypto\Keys
  2. even if you success on file name identification, you won't be able to just copy file to another computer and restore the key pair, because private key locally is protected by a DPAPI and you will fail to decrypt the encrypted key on another computer.

If you could run computer in at least Safe Mode (or save mode with command prompt), you could easily identify file name and attempt to export the key to a PFX).

Crypt32
  • 6,414
  • 1
  • 13
  • 32
  • See the linked question... several VMs on that Hyper-V cluster are completely unable to boot. Most of them we can rebuild, but losing the CA would be a real showstopper. – Massimo Dec 12 '14 at 17:27
  • 1
    (And yes, I know they should have backed up the CA. Please don't get me started on this...) – Massimo Dec 12 '14 at 17:28
  • Unfortunately, you are out of luck. Start over. – Crypt32 Dec 12 '14 at 17:30
  • @Massimo This actually might be a lot more doable than CryptoGuy suggests... [The DPAIP has allegedly been reverse engineered](http://en.wikipedia.org/wiki/Data_Protection_API), and [a tool exists for offline encryption of files encrypted with DPAPI](http://passcape.com/windows_password_recovery_dpapi_decoder). It's not free, but I'm going to see if I can find one that is. – HopelessN00b Dec 12 '14 at 17:48