Converts PKCS#12/PFX file or X509Certificate2 object to OpenSSL-compatible PEM (Privacy Enhanced Mail) file.
Convert-PfxToPem [-InputFile] <FileInfo> [-Password] <SecureString> [-OutputFile] <FileInfo> [[-OutputType] <String> {Pkcs1 | Pkcs8} ] [-IncludeChain] [<CommonParameters>] Convert-PfxToPem [-Certificate] <X509Certificate2> [-OutputFile] <FileInfo> [[-OutputType] <String> {Pkcs1 | Pkcs8} ] [-IncludeChain] [<CommonParameters>]
Converts PKCS#12/PFX file or X509Certificate2 object to OpenSSL-compatible PEM (Privacy Enhanced Mail) file. The command converts CryptoAPI X.509 certificate and private key to a X.509 public certificate and associated either PKCS#1 or PKCS#8 private key.
Note: for this command to succeed, the private key must be marked as exportable in plain text mode.
Specifies the path to a PKCS#12/PFX file. Password parameter is required when using this parameter.
Required? | True |
Position? | 0 |
Default value | |
Accept pipeline input? | false |
Accept wildcard characters? | False |
Specifies the password to open PKCS#12/PFX file. This parameter is mandatory when using InputFile parameter.
Required? | True |
Position? | 1 |
Default value | |
Accept pipeline input? | false |
Accept wildcard characters? | False |
Specifies the path to a output PEM file.
Required? | True |
Position? | 2 |
Default value | |
Accept pipeline input? | false |
Accept wildcard characters? | False |
Specifies the format for exported private key. Possible values are either: 'Pkcs1' or 'Pkcs8' (default).
Required? | False |
Position? | 3 |
Default value | Pkcs8 |
Accept pipeline input? | false |
Accept wildcard characters? | False |
Specifies an existing X509Certificate2 object that contains associated exportable private key.
Required? | True |
Position? | 0 |
Default value | |
Accept pipeline input? | false |
Accept wildcard characters? | False |
Attempts to build the certificate chain and exports them to PEM file along with private key.
Required? | False |
Position? | named |
Default value | |
Accept pipeline input? | false |
Accept wildcard characters? | False |
This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, InformationAction, InformationVariable,
WarningAction, WarningVariable, OutBuffer, PipelineVariable and OutVariable.
For more information, see about_CommonParameters (https://go.microsoft.com/fwlink/?LinkID=113216).
System.Security.Cryptography.X509Certificates.X509Certificate2
None.
Author: Vadims Podans
Blog: https://www.sysadmins.lv
PS C:\> $pass = Read-Host "Enter password for PFX file:" -AsSecureString PS C:\> Convert-PfxToPem -InputPath c:\test\ssl.pfx -Password $pass -OutputPath c:\test\ssl.pem
In this example, ssl.pfx file is converted to PEM format. Public certificate and associated private key are saved in the same file. Private key is encoded in PKCS#8 format.
PS C:\> Convert-PfxToPem -InputPath c:\test\ssl.pfx -Password (ConvertTo-SecureString 'P@ssw0rd' -AsPlainText -Force) -OutputPath c:\test\ssl.pem -OutputType Pkcs1
Similar to previous example which can be used in quiet mode. In this example, ssl.pfx file is converted to PEM format. Public certificate and associated private key are saved in the same file. Private key is encoded in PKCS#1 format.
PS C:\> $cert = @(Get-ChildItem cert:\LocalMachine\My | Where-Object {$_.Subject -like "*www.company.com*"})[0] PS C:\> Convert-PfxToPem -Certificate $cert -OutputPath c:\test\ssl.pem -IncludeChain
In this example, the certificate is retrieved from local certificate store and converted PEM is saved to 'ssl.pem' file. Private key is converted to PKCS#8 format. Resulted file will contain: PKCS#8 private key, leaf certificate and all available intermediate CA certificates, including Root CA certificate if applicable.