Clone Certificate does not work if S/N is negative

[emanuelduss]

It's not possible to clone the certificate if the serial number of the certificate is negative.

[yobroda]

Hey awesome creators of this tool, I am also not able to proceed ahead as my certificate is not cloning due to negative serial numbers. Till the issue is fixed in the tool, can you please assist me by telling me on how to clone a certificate with negative serial number with some other way. This would be very helpful during my testing.

[emanuelduss]

Hi yobroda

There are other possibilities to create a fake certificate or clone a certificate.

1. Create a new CA and issue a new certificate. You can use the following script and adjust the values to your needs: https://github.com/mindfuckup/Scripts/blob/master/makecert

2. You can also clone certificates by reading the original certificate and create new key material. You can e.g. use the following code: https://twitter.com/guedou/status/1091349140636864517

Best wishes, Emanuel

[emanuelduss]

Hi yobroda

You can simply clone a certificate using PowerShell:

$original = "c:\tmp\certificate.pem"
$cloned = "c:\tmp\cloned.p12"
$password = "Password-1234"

$cert_original = Get-PfxCertificate -FilePath  $original
$export_password = ConvertTo-SecureString -String $password -Force -AsPlainText
$cert_cloned = New-SelfSignedCertificate -CloneCert $cert_original -CertStoreLocation "Cert:\CurrentUser\My\"
$cert_cloned | Export-PfxCertificate -FilePath $cloned -Password $export_password
Remove-Item $cert_cloned.PSPath

https://gist.github.com/mindfuckup/ab6077634f1f9c132371b418db7bb1cc

Have fun ;-)

Emanuel

[yobroda]

Thanks for the explanation!

[emanuelduss]

BTW i recently discovered the clone-cert script, which does the same on Linux. Either specify a TLS server with port or a local certificate to clone: https://github.com/SySS-Research/clone-cert

Works really well :)

[yobroda]

Great, i will try this out !!