Export the MS CA key and import it into EJBCA
We use the built-in functionality to backup a MS CA. This will give us a PKCS#12 that we can import in EJBCA.
- Start a new "mmc" and add the "Certificate Authority" snap-in. Right-click the CA to export → All tasks → Back up CA..
- Follow the wizard and select "Private key and CA certificate", somewhere to store the p12-file and a password.
- Copy the p12-file to the EJBCA machine.
$EJBCA_HOME/bin/ejbca.sh ca importca "MS CA v1" /path/mscakey.p12
The CA should now appear in the EJBCA Admin GUI.
Import existing certificates into EJBCA
Importing certificates one at the time
- Certificate can be exported from the CA-snapin by opening each certificate and clicking "copy to file..".
- Convert the certificate to PEM format with openssl
openssl x509 -in certificate.crt -inform DER -out certificate.pem -outform PEM
- Import to EJBCA with
$EJBCA_HOME/bin/ejbca.sh ca importcert username password "MS CA v1" status certificate.pem EndEntityProfile CertProfile
However this only suitable if you have a few certificates.
Importing the entire certificate database
The entire certificate database is stored in \window\system32\CertLog\CA-name.edb. Certutil.exe that comes with windows server can be used to dump the different posts from the database.
To dump all certificates with their UPN, TemplateName, Disposition (Issued, Revoked) and the PEM-encoded certificate, type
certutil -view -restrict "GeneralFlags>0" /out "UPN,CertificateTemplate,Disposition,RawCertificate" > certdump.txt
All that we need to do now to pwn the MS CA is use a script that
- Locates next line that starts with "Row"
- Parses UPN
- Parses TempateName
- Parses certificate status from the Disposition-field
- writes PEM-certificate to temporary file
- runs the import-CLI
- Username: UPN-TempateName
- Password: foo123
- Ca name: From the command line of the script. Should be the name of the imported MS CA.
- status: ACTIVE if issued and REVOKED if revoked
- filename: the temporary file
- EndEntityProfile: TemplateName (this of course have to exist.. maybe easily importable from this page)
- CertificateProfile: TemplateName (this of course have to exist.. maybe easily importable from this page)
- Start over until there are no more "Row"s
EJBCA comes with such a script. After compiling EJBCA with ant:
cd $EJBCA_HOME/tmp/bin/classes/ java org.ejbca.ui.cli.ImportMSCACertificates /path/certdump.txt "MS CA v1"