Recover password from .pfx file

  • I have an old Windows SmartClient application that is published with a signed certificate (a .pfx file). We want to extend the expiration date to more than one year. I've used a program called RenewCert to do this with other certs. However, we don't know password to this cert, which is required by RenewCert. I tried using a program called CertificatePasswordRecovery to recover the password, but it could not find it.

    The only choice now seems to be to generate a new cert, which will require a uninstall/reinstall of the application on all machines.

    Is this correct? or can you think of any other possibilities?

    Edit: more info:
    I saw another potential solution on the internet where you open the file in notepad and search for the signtool.exe and the password will follow the /p switch. I was not successful, but I'm not sure if I approached it correctly. In notepad, I just see a bunch of chinese symbols. Then I tried looking at the pfx file in Ultraedit, in both text and hex mode, but I didn't see anything like "signtool.exe". I looked for ascii hex of "sign" - 73 69 67 6e - but didn't find it.

    In regard to your edit: I assume the file you're talking about is the .pfx? I would be shocked if the password to decrypt the private key was embedded in the same file as the encrypted private key. That would be like putting all my money in a safe and then sticking a post-it note on the front with the combo. On the other hand, if by "the file" you mean a script that you used to generate the certificate the first time, then this might work.

    I meant (because I thought they meant) that the password was encrypted in the .pfx file. If the password is not encrypted in the pfx file, then both of the methods I've talked about here are pointless.

    huh? If it's encrypted then you'll just see "chinese symbols". How do you plan to decrypt it? Does that mean there's a second password needed to decrypt the first password?

    I'm just an application developer trying to do something over my head. Thanks for your help.

    Yeah, I'm sorry if that sounded snarky. Clearly what you need is encrypted in that .pfx file (either the private key, or the password needed to decrypt the private key). But it's _encrypted_ so you won't be able get it by simply opening the file in a hex editor --> give us cryptographers more credit than that!

    No worries, you've helped a lot, I appreciate it.

  • First, I have an issue with nomenclature: articles like the one you linked to sortof suggest that the terms "public/private key pair" and "certificate" are interchangeable. In reality, a certificate is just the public key part of the key pair, and a .pfx file is a bundle that contains both the certificate (public part) and the encrypted private key [source].

    (It grinds my gears when people talk about a "password protecting a certificate" which makes no sense since a certificate is public information! You really mean "password protecting a private key". But since the PFX format encourages people to think of it all as one bundle, I guess this is forgivable.)

    Based on that article you linked, it looks like RenewCert is using the private key associated with that certificate to generate a new self-signed certificate containing the same public key as the old cert (and getting a longer expiry date on it in the process). Self-signed certs would fail in HTTPS, but your SmartClient applications should be fine with it. Certificates need to be signed by somebody's private key, so RenewCert is using the same keypair that you are certifying to do the signature (hence "self-signed certificate").

    The other way to renew a certificate is by submitting a certificate signing request (csr) to a certificate authority (CA). Unfortunately, here too you need access to the private key so you can prove to the CA that you own this key through a proof-of-possession [see RFC 4211 Section 4. and an IETF statement about POPs in CSRs].

    So the answer to your question is: unless you can find a way to access that private key (by remembering the password on the .pfx file, or by finding the private key in a backup somewhere) your only option is to generate a new keypair, make a completely new certificate, and update all the applications. No way around that... the whole point of certificates is to prove that you own the corresponding private key.

License under CC-BY-SA with attribution

Content dated before 7/24/2021 11:53 AM