Last active
September 29, 2023 23:05
-
-
Save potatoqualitee/6a04aa1b6b204c2647ab21afff5652b7 to your computer and use it in GitHub Desktop.
Convert-Pfx
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
function Convert-Pfx { | |
<# | |
.SYNOPSIS | |
Converts PFX to .cer and .key | |
.DESCRIPTION | |
Converts PFX to .cer and .key | |
Requires openssl | |
And a gentle reminder: after you've got those keys out into PEM files, | |
ensure they are protected or deleted once you've imported them elsewhere | |
.PARAMETER FilePath | |
The path to the PFX file | |
.PARAMETER Credential | |
Just use a Credential to set to password | |
This avoids plain-text passwords being passed around the command line. Use this or SecureString. | |
.PARAMETER SecureString | |
The PFX password in securestring format. Easiest way to get this is to do (Get-Credential whocares).Password | |
This avoids plain-text passwords being passed around the command line. Use this or Credential. | |
.PARAMETER IncludeCA | |
If true, a CA certificate will be exported as well, if it exists | |
.EXAMPLE | |
Convert-Pfx -FilePath ./vcenter2.pfx -Credential nobody -IncludeCA | |
Directory: /mnt/c/temp | |
UnixMode User Group LastWriteTime Size Name | |
-------- ---- ----- ------------- ---- ---- | |
-rwxrwxrwx ctrlb ctrlb 01/19/2022 22:52 1834 vcenter2.cer | |
-rwxrwxrwx ctrlb ctrlb 01/19/2022 22:52 1704 vcenter2.key | |
-rwxrwxrwx ctrlb ctrlb 01/19/2022 22:52 1704 vcenter2-ca.cer | |
.EXAMPLE | |
Convert-Pfx -FilePath ./vcenter2.pfx -SecureString (Get-Credential nobody).Password | |
Directory: /mnt/c/temp | |
UnixMode User Group LastWriteTime Size Name | |
-------- ---- ----- ------------- ---- ---- | |
-rwxrwxrwx ctrlb ctrlb 01/19/2022 22:52 1834 vcenter2.cer | |
-rwxrwxrwx ctrlb ctrlb 01/19/2022 22:52 1704 vcenter2.key | |
#> | |
[CmdletBinding()] | |
param( | |
[Parameter(Mandatory, ValueFromPipeline)] | |
[Alias("FullName")] | |
[string[]]$FilePath, | |
[securestring]$SecureString, | |
[pscredential]$Credential, | |
[switch]$IncludeCA | |
) | |
process { | |
if (-not $SecureString -and -not $Credential) { | |
throw "SecureString or Credential must be set" | |
} | |
if (-not $Credential) { | |
$Credential = New-Object System.Management.Automation.PSCredential("nobody", $SecureString) | |
} | |
$notsosecurestring = $Credential.GetNetworkCredential().Password | |
$path = Get-ChildItem $FilePath | |
$basename = $path.BaseName | |
$extension = $path.Extension | |
$dir = Split-Path $path.FullName | |
$certpath = Join-Path -Path $dir -ChildPath "$basename.cer" | |
$keypath = Join-Path -Path $dir -ChildPath "$basename.key" | |
$cacertpath = Join-Path -Path $dir -ChildPath "$basename-ca.cer" | |
if ($extension -notmatch "pfx") { | |
throw "needs to be a pfx" | |
} | |
try { | |
openssl pkcs12 -in $FilePath -nocerts -nodes -passin pass:$notsosecurestring | openssl pkcs8 -nocrypt -out $keypath | |
openssl pkcs12 -in $FilePath -clcerts -nokeys -passin pass:$notsosecurestring | openssl x509 -out $certpath | |
if ($IncludeCA) { | |
openssl pkcs12 -in $FilePath -cacerts -passin pass:$notsosecurestring -nokeys -chain | openssl x509 -out $cacertpath | |
Get-ChildItem $cacertpath -ErrorAction SilentlyContinue | |
} | |
Get-ChildItem $certpath -ErrorAction SilentlyContinue | |
Get-ChildItem $keypath -ErrorAction SilentlyContinue | |
} catch { | |
Write-Warning $PSItem | |
} | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment