This page is retired and no longer updated. Project documentation and download links are moved to their new home: PowerShell PKI Module.

Convert-PfxToPem

Synopsis

Converts PKCS#12/PFX file or X509Certificate2 object to OpenSSL-compatible PEM (Privacy Enhanced Mail) file.

Syntax

Convert-PfxToPem [-InputFile] <FileInfo> [-Password] <SecureString> [-OutputFile] <FileInfo> [[-OutputType] <String> {Pkcs1 | Pkcs8} ] [-IncludeChain] [<CommonParameters>]

Convert-PfxToPem [-Certificate] <X509Certificate2> [-OutputFile] <FileInfo> [[-OutputType] <String> {Pkcs1 | Pkcs8} ] [-IncludeChain] [<CommonParameters>]

Description

Converts PKCS#12/PFX file or X509Certificate2 object to OpenSSL-compatible PEM (Privacy Enhanced Mail) file. The command converts CryptoAPI X.509 certificate and private key to a X.509 public certificate and associated either PKCS#1 or PKCS#8 private key.

Note: for this command to succeed, the private key must be marked as exportable in plain text mode.

Parameters

-InputFile <FileInfo>

Specifies the path to a PKCS#12/PFX file. Password parameter is required when using this parameter.

Required? True
Position? 0
Default value
Accept pipeline input? false
Accept wildcard characters? False

-Password <SecureString>

Specifies the password to open PKCS#12/PFX file. This parameter is mandatory when using InputFile parameter.

Required? True
Position? 1
Default value
Accept pipeline input? false
Accept wildcard characters? False

-OutputFile <FileInfo>

Specifies the path to a output PEM file.

Required? True
Position? 2
Default value
Accept pipeline input? false
Accept wildcard characters? False

-OutputType <String>

Specifies the format for exported private key. Possible values are either: 'Pkcs1' or 'Pkcs8' (default).

Required? False
Position? 3
Default value Pkcs8
Accept pipeline input? false
Accept wildcard characters? False

-Certificate <X509Certificate2>

Specifies an existing X509Certificate2 object that contains associated exportable private key.

Required? True
Position? 0
Default value
Accept pipeline input? false
Accept wildcard characters? False

-IncludeChain <SwitchParameter>

Attempts to build the certificate chain and exports them to PEM file along with private key.

Required? False
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? False

<CommonParameters>

This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, InformationAction, InformationVariable,
WarningAction, WarningVariable, OutBuffer, PipelineVariable and OutVariable.
For more information, see about_CommonParameters (https://go.microsoft.com/fwlink/?LinkID=113216).

Inputs

System.IO.FileInfo

System.Security.Cryptography.X509Certificates.X509Certificate2

Outputs

None.

Notes

Author: Vadims Podans
Blog: https://www.sysadmins.lv

Examples

Example 1

PS C:\> $pass = Read-Host "Enter password for PFX file:" -AsSecureString
PS C:\> Convert-PfxToPem -InputPath c:\test\ssl.pfx -Password $pass -OutputPath c:\test\ssl.pem

In this example, ssl.pfx file is converted to PEM format. Public certificate and associated private key are saved in the same file. Private key is encoded in PKCS#8 format.

Example 2

PS C:\> Convert-PfxToPem -InputPath c:\test\ssl.pfx -Password (ConvertTo-SecureString 'P@ssw0rd' -AsPlainText -Force) -OutputPath c:\test\ssl.pem -OutputType Pkcs1

Similar to previous example which can be used in quiet mode. In this example, ssl.pfx file is converted to PEM format. Public certificate and associated private key are saved in the same file. Private key is encoded in PKCS#1 format.

Example 3

PS C:\> $cert = @(Get-ChildItem cert:\LocalMachine\My | Where-Object {$_.Subject -like "*www.company.com*"})[0]
PS C:\> Convert-PfxToPem -Certificate $cert -OutputPath c:\test\ssl.pem -IncludeChain

In this example, the certificate is retrieved from local certificate store and converted PEM is saved to 'ssl.pem' file. Private key is converted to PKCS#8 format. Resulted file will contain: PKCS#8 private key, leaf certificate and all available intermediate CA certificates, including Root CA certificate if applicable.

Related links

Convert-PemToPfx

Minimum PowerShell version support

  • PowerShell 3.0

Operating System Support

  • Windows Vista
  • Windows 7
  • Windows 8
  • Windows 8.1
  • Windows 10
  • Windows Server 2008 all editions
  • Windows Server 2008 R2 all editions
  • Windows Server 2012 all editions
  • Windows Server 2012 R2 all editions
  • Windows Server 2016 all editions

Share this article: