Solved

How to recover private key certificates from a bkp HD?

Posted on 2011-09-09
11
875 Views
Last Modified: 2012-05-12
Hi,

I had a bad HD so I installed windows on the new one, and copied all files I wanted from the bad hd.
The only thing that I could not get back, are my private certificates. I have 1 or 2 exported as pfx format and all of them exported as p7b, but the p7b does not include the private ceritificate, so I cannot use it.

I still have the bad HD with me (which does not boot), so is there a way to recover the ceritifcate files from the bad hd?
0
Comment
Question by:tarcis
  • 6
  • 5
11 Comments
 
LVL 8

Expert Comment

by:Shmoid
ID: 36513752
It might be possible to recover the private keys but it will depend on several factors.

Are you in an Active Directory Domain?

Were the certs issued from an internal CA, a 3rd party vendor or did you create them manually with a utility such as OpenSSL, KeyStore Explorer, Portecle, etc.?

If an internal CA, does the CA have key archival turned on?

Do you know the password used to encrypt the private key?

Do you know if the private keys are marked as exportable?

You said you could access the bad HD but it will not boot.  Are you accessing it as a slave drive or connected via an adapter?

Does the drive have corrupted data?

Let me know the answers to these questions and I’ll give you my opinion as to the recoverability of the private keys.
0
 
LVL 2

Author Comment

by:tarcis
ID: 36513981
Are you in an Active Directory Domain?
No, its a home pc

Were the certs issued from an internal CA, a 3rd party vendor or did you create them manually with a utility such as OpenSSL, KeyStore Explorer, Portecle, etc.?
They were issued from certsign its a A1 certificate used to login to government taxes websites.

If an internal CA, does the CA have key archival turned on?
does not apply

Do you know the password used to encrypt the private key?
yes

Do you know if the private keys are marked as exportable?
the certificates were installed on the machine (visible in IE->certificates, not exported as a file

You said you could access the bad HD but it will not boot.  Are you accessing it as a slave drive or connected via an adapter?
Im acessing it as a slave drive, but I looked and all files are there exept the windows folder (if you I need the windows folder, i can try to recover using a recovery software.

Does the drive have corrupted data?
it has bad sectors but I can access data on it

Thank you so much for your help
0
 
LVL 8

Accepted Solution

by:
Shmoid earned 500 total points
ID: 36515264
Since you are not in a domain where certs were issued from an internal CA that rules out the option of using a key recovery agent.

Unfortunately, without that option and the drive being unbootable I know of no way to recover the private key. It is stored on the drive but it is encrypted with a random symmetric key.  There is a great explanation about how private keys are stored here: http://technet.microsoft.com/en-us/library/cc962112.aspx

As you said you could try to recover the windows folder but that probably won't make the drive bootable. If by some chance you can recover the windows folder AND get the drive to boot you should immediately try to export the keys from IE or from the certificate snap-in in MMC. You may only get one chance as the drive may not last. While the drive is still slaved you could try running scandisk. Over the years I've had a couple of drives that I was able to get to boot again after running scandisk but not nearly as many as I tried. It just depends on what kind of damage and why the drive failed.

If all that fails you will have no choice but to obtain new certificates. Since you mentioned they are used for login I will assume that there is no data that was encrypted with them and they were only used for authentication.  If that is the case I would just get new certs as that will probably be the easiest and quickest thing to do.
0
 
LVL 2

Author Comment

by:tarcis
ID: 36515928
Thank you for the explanation, the only reason I want to recover them (yes, they were only used for login) is because here in Brazil they charge you to get a new certificate, and there are like 20 certificates I need back. Just imagine the financial harm.
Maybe I could copy a registry key to a new pc and have IE behave as if it was the old ie from that pc (with the certificates). Any thing is worth a shot here.
Thank you
0
 
LVL 8

Expert Comment

by:Shmoid
ID: 36525173
Understood. I'm guessing at this point that you are willing to try extreme measures. I'm afraid it's not quite as simple as just copying files, registry keys etc. The private keys are stored in the file system but they are encrypted with a random symmetric key. Even if you copy them a different installation will not recognize them. I think you only hope of getting your keys is to get the bad drive to boot again.

 If I were in your situation I would proceed as follows:

First, try to get an image of the damaged drive. If it has bad sectors already it could become unreadable. THe more you use it the more likely that is to happen. My recommendation for a utility to image with would be a Unix/Linux utility called ddrescue, not to be confused with earlier or similar utilities such as dd, dd_rescue, ddrhelp. There are a slew of reasons to use this utility but rather than reiterate them here have a look at this link: http://www.toad.com/gnu/sysadmin/index.html   There are several boot CD out there that have the utility available. You will need to download an ISO and burn a CD that will boot to Linux and then use the ddrescue utility to create an image. With the proper tools you can even mount and work directly from that image but we'll cross that bridge later.

Once you have the image I would try to run scandsk. With the goal of getting the drive bootable again. If you can get it to boot. Imeediatly try to export your keys.

I'm curious why the Windows directory is missing. It seems unlikely that scandsk can fix that, unless it was a simple data error in the directory's table entry. If scandsk doesn't get the windows directory back try to recover it. GetDataBack from Runtime software is an good option.

You might also want to check out Scott Moulton's website http://myharddrivedied.com It has a ton of great information, including video presentations, on data recovery and computer forensics. It also has a list of excellent tools.

If all these efforts fail you could send the drive out to a data restoration company but that might be just as expensive as buying all new certs.

Let me know how it goes.
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 
LVL 2

Author Comment

by:tarcis
ID: 36525444
I think the windows folder vanished after a chkdsk /r. Because at first when it didnt boot, I tryed chkdsk and since it found bad sectors, I instantly got a new drive and installed windows on the new one, and slaved the bad one.

I think it will be very hard to make it boot again, but I can work with that. With certificates on the other hand, I know very little about, and it does sound like a mission impossible task since its all encrypted.

I will leave this question open for a few more days in a desperate hope that some expert has another idea, but making the drive boot again should be the only solution here.

Thanks again.
0
 
LVL 8

Expert Comment

by:Shmoid
ID: 36525919
If you want to at least get a copy of the encrypted keys they are located at the following locations:

XP:
C:\Documents and Settings\<username>\Application Data\Microsoft\Crypto\RSA\S-1-5-xx-xxxxxxxxx-xxxxxxxxxx-xxxxxxxxx-xxxxxx

Vista and Win 7:
C:\Users\<username>\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-xx-xxxxxxxxx-xxxxxxxxxx-xxxxxxxxx-xxxxxx


I have another idea. If you are willing to reinstall a couple of times you could  install windows, then copy the registry files and private keys from the bad drive to the clean install and see if you can access the keys. It’s a longshot I think, but worth a try.  Whether it works or not I would then blow it away and install again. If you have an additional drive you could use you could just remove the drive you just purchased and set it aside while you test.

You could also put the bad drive back as primary and try to do a repair install.  Boot from Windows media and point to the old installation and tell it to repair. See what happens.
0
 
LVL 2

Author Comment

by:tarcis
ID: 36536202
As you suspected copying the files did not work. bummer.
I will try the repair install this weekend.

Thank you again.
0
 
LVL 2

Assisted Solution

by:tarcis
tarcis earned 0 total points
ID: 36718644
I got it!
chkdsk had created a hidden found.000 folder in my hd root, and inside 4 chdirxxxx.chk folders.
Examining the insides of these folder, i figured one was the windows folder, the other was the system32 folder, the other was the drivers folder and the last one the config folder.
So I created a Windows folder on c: and cut&pasted the files from the first chdirxxxx.chk and did the same for all others, and after a few safe modes and file copying I was able to boot to the damaged HD and export the certificates.

Thank you so much for your help
0
 
LVL 2

Author Closing Comment

by:tarcis
ID: 36902260
There is no way to get the certificated back without the old windows
0
 
LVL 8

Expert Comment

by:Shmoid
ID: 36892773
Excellent! Glad you got your certificates back. Now you can keep a .pfx backup of all of them.

0

Featured Post

Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
This story has been written with permission from the scammed victim, a valued client of mine – identity protected by request.
Articles on a wide range of technology and professional topics are available on Experts Exchange. These resources are written by members, for members, and can be written about any topic you feel passionate about. Learn how to best write an article t…
Shows how to create a shortcut to site-search Experts Exchange using Google in the Chrome browser. This eliminates the need to type out site:experts-exchange.com whenever you want to search the site. Launch the Search Engine Menu: In chrome, via you…

895 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now