Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Convert-Pfx
function Convert-Pfx {
<#
.SYNOPSIS
Converts PFX to .cer and .key
.DESCRIPTION
Converts PFX to .cer and .key
Requires openssl
And a gentle reminder: after you've got those keys out into PEM files,
ensure they are protected or deleted once you've imported them elsewhere
.PARAMETER FilePath
The path to the PFX file
.PARAMETER Credential
Just use a Credential to set to password
This avoids plain-text passwords being passed around the command line. Use this or SecureString.
.PARAMETER SecureString
The PFX password in securestring format. Easiest way to get this is to do (Get-Credential whocares).Password
This avoids plain-text passwords being passed around the command line. Use this or Credential.
.PARAMETER IncludeCA
If true, a CA certificate will be exported as well, if it exists
.EXAMPLE
Convert-Pfx -FilePath ./vcenter2.pfx -Credential nobody -IncludeCA
Directory: /mnt/c/temp
UnixMode User Group LastWriteTime Size Name
-------- ---- ----- ------------- ---- ----
-rwxrwxrwx ctrlb ctrlb 01/19/2022 22:52 1834 vcenter2.cer
-rwxrwxrwx ctrlb ctrlb 01/19/2022 22:52 1704 vcenter2.key
-rwxrwxrwx ctrlb ctrlb 01/19/2022 22:52 1704 vcenter2-ca.cer
.EXAMPLE
Convert-Pfx -FilePath ./vcenter2.pfx -SecureString (Get-Credential nobody).Password
Directory: /mnt/c/temp
UnixMode User Group LastWriteTime Size Name
-------- ---- ----- ------------- ---- ----
-rwxrwxrwx ctrlb ctrlb 01/19/2022 22:52 1834 vcenter2.cer
-rwxrwxrwx ctrlb ctrlb 01/19/2022 22:52 1704 vcenter2.key
#>
[CmdletBinding()]
param(
[Parameter(Mandatory, ValueFromPipeline)]
[Alias("FullName")]
[string[]]$FilePath,
[securestring]$SecureString,
[pscredential]$Credential,
[switch]$IncludeCA
)
process {
if (-not $SecureString -and -not $Credential) {
throw "SecureString or Credential must be set"
}
if (-not $Credential) {
$Credential = New-Object System.Management.Automation.PSCredential("nobody", $SecureString)
}
$notsosecurestring = $Credential.GetNetworkCredential().Password
$path = Get-ChildItem $FilePath
$basename = $path.BaseName
$extension = $path.Extension
$dir = Split-Path $path.FullName
$certpath = Join-Path -Path $dir -ChildPath "$basename.cer"
$keypath = Join-Path -Path $dir -ChildPath "$basename.key"
$cacertpath = Join-Path -Path $dir -ChildPath "$basename-ca.cer"
if ($extension -notmatch "pfx") {
throw "needs to be a pfx"
}
try {
openssl pkcs12 -in $FilePath -nocerts -nodes -passin pass:$notsosecurestring | openssl pkcs8 -nocrypt -out $keypath
openssl pkcs12 -in $FilePath -clcerts -nokeys -passin pass:$notsosecurestring | openssl x509 -out $certpath
if ($IncludeCA) {
openssl pkcs12 -in $FilePath -cacerts -passin pass:$notsosecurestring -nokeys -chain | openssl x509 -out $cacertpath
Get-ChildItem $cacertpath -ErrorAction SilentlyContinue
}
Get-ChildItem $certpath -ErrorAction SilentlyContinue
Get-ChildItem $keypath -ErrorAction SilentlyContinue
} catch {
Write-Warning $PSItem
}
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment