Windows7, provider: DigiCert PKI Client CSP, ERROR kull_m_crypto_exportPfx ; PFXExportCertStoreEx/kull_m_file_writeData (0x8009000b)

[minzak]

I have Windows7, also I check export via MS provider with different key - all is work.

But when used DigiCert PKI Client CSP provider - not work, and the app is crash when I use this command: crypto::keys /export /cngprovider:"DigiCert PKI Client CSP"

mimikatz # crypto::stores
Asking for System Store 'CURRENT_USER' (0x00010000)
 0. My
 1. Root
 2. Trust
 3. CA
 4. UserDS
 5. TrustedPublisher
 6. Disallowed
 7. AuthRoot
 8. TrustedPeople
 9. REQUEST
10. SmartCardRoot

mimikatz # crypto::providers

CryptoAPI providers :
 0. RSA_FULL      ( 1) - DigiCert PKI Client CSP
 1. RSA_FULL      ( 1)   - Microsoft Base Cryptographic Provider v1.0
 2. DSS_DH        (13)   - Microsoft Base DSS and Diffie-Hellman Cryptographic Provider
 3. DSS           ( 3)   - Microsoft Base DSS Cryptographic Provider
 4. RSA_FULL      ( 1) H - Microsoft Base Smart Card Crypto Provider
 5. DH_SCHANNEL   (18)   - Microsoft DH SChannel Cryptographic Provider
 6. RSA_FULL      ( 1)   - Microsoft Enhanced Cryptographic Provider v1.0
 7. DSS_DH        (13)   - Microsoft Enhanced DSS and Diffie-Hellman Cryptographic Provider
 8. RSA_AES       (24)   - Microsoft Enhanced RSA and AES Cryptographic Provider
 9. RSA_SCHANNEL  (12)   - Microsoft RSA SChannel Cryptographic Provider
10. RSA_FULL      ( 1)   - Microsoft Strong Cryptographic Provider

CryptoAPI provider types:
 0. RSA_FULL      ( 1) - RSA Full (Signature and Key Exchange)
 1. DSS           ( 3) - DSS Signature
 2. RSA_SCHANNEL  (12) - RSA SChannel
 3. DSS_DH        (13) - DSS Signature with Diffie-Hellman Key Exchange
 4. DH_SCHANNEL   (18) - Diffie-Hellman SChannel
 5. RSA_AES       (24) - RSA Full and AES

CNG providers :
 0. DigiCert PKI Client KSP
 1. Microsoft Primitive Provider
 2. Microsoft Smart Card Key Storage Provider
 3. Microsoft Software Key Storage Provider
 4. Microsoft SSL Protocol Provider

mimikatz # crypto::keys /export /cngprovider:"DigiCert PKI Client CSP"
 * Store         : 'user'
 * Provider      : 'MS_ENHANCED_PROV' ('Microsoft Enhanced Cryptographic Provider v1.0')
 * Provider type : 'PROV_RSA_FULL' (1)
 * CNG Provider  : 'DigiCert PKI Client CSP'

CryptoAPI keys :

CNG keys :

App CRASH is here.

mimikatz # crypto::certificates /export
 * System Store  : 'CURRENT_USER' (0x00010000)
 * Store         : 'My'

 0. YYYY
    Subject  : CN=XXX, CN=XXX, OID.1.2.840.113549.1.9.2=XXX@XXX.c
=MULTI-ALLOWED
    Issuer   : O=XXX, CN=XXX Corporation CA
    Serial   : c4c8bda79dfd9680937b5592f5bf9129
    Algorithm: 1.2.840.113549.1.1.1 (RSA)
    Validity : Tue 09.03.21 2:00:00 AM -> Thu 10.03.22 1:59:59 AM
    UPN      : XXX@XXX.com
    Hash SHA1: f7c0105ea468b9a9452a7847ad9c9ab6264b04cc
        Key Container  : !F7C0105EA468B9A9452A7847AD9C9AB6264B04CC
        Provider       : DigiCert PKI Client CSP
        Provider type  : RSA_FULL (1)
        Type           : CNG Key (0xffffffff)
        |Provider name : DigiCert PKI Client KSP
        Key Container  : !F7C0105EA468B9A9452A7847AD9C9AB6264B04CC
        Unique name    : !F7C0105EA468B9A9452A7847AD9C9AB6264B04CC
        Algorithm      : RSA
        Key size       : 2048 (0x00000800)
        Public export  : OK - 'CURRENT_USER_My_0_YYYY'
        Private export : ERROR kull_m_crypto_exportPfx ; PFXExportCertStoreEx/kull_m_file_writeData (0x8009000b)

Of curse I use full command, but it's not help:

privilege::debug
sekurlsa::logonpasswords
crypto::capi
crypto::cng
crypto::extract
crypto::stores
crypto::providers
crypto::keys /export
crypto::certificates /export
crypto::keys /export /cngprovider:"DigiCert PKI Client CSP"
crypto::certificates /export /cngprovider:"DigiCert PKI Client CSP"

P.S. I Can upload this VirtualBox VM, just write to me.

[minzak]

P.S. DigiCert PKI Client CSP - it is a software client for enrollment certificate. And I'm almost sure it is used CSR request.