PowerShell PKI Module Documentation
Documentation HomeConvert-PfxToPem
Synopsis
Converts PKCS#12/PFX file or X509Certificate2 object to OpenSSL-compatible PEM (Privacy Enhanced Mail) file.
Syntax
Convert-PfxToPem [-InputFile] <FileInfo> [-Password] <SecureString> [-OutputFile] <FileInfo> [[-OutputType] <String> {Pkcs1 | Pkcs8} ] [-IncludeChain] [<CommonParameters>]
Convert-PfxToPem [-Certificate] <X509Certificate2> [-OutputFile] <FileInfo> [[-OutputType] <String> {Pkcs1 | Pkcs8} ] [-IncludeChain] [<CommonParameters>]
Description
Converts PKCS#12/PFX file or X509Certificate2 object to OpenSSL-compatible PEM (Privacy Enhanced Mail) file. The command converts CryptoAPI X.509 certificate and private key to a X.509 public certificate and associated either PKCS#1 or PKCS#8 private key.
Note: for this command to succeed, the private key must be marked as exportable in plain text mode.
Parameters
-InputFile <FileInfo>
Specifies the path to a PKCS#12/PFX file. Password parameter is required when using this parameter.
| Required? | True |
| Position? | 0 |
| Default value | |
| Accept pipeline input? | false |
| Accept wildcard characters? | False |
-Password <SecureString>
Specifies the password to open PKCS#12/PFX file. This parameter is mandatory when using InputFile parameter.
| Required? | True |
| Position? | 1 |
| Default value | |
| Accept pipeline input? | false |
| Accept wildcard characters? | False |
-OutputFile <FileInfo>
Specifies the path to a output PEM file.
| Required? | True |
| Position? | 2 |
| Default value | |
| Accept pipeline input? | false |
| Accept wildcard characters? | False |
-OutputType <String>
Specifies the format for exported private key. Possible values are either: 'Pkcs1' or 'Pkcs8' (default).
| Required? | False |
| Position? | 3 |
| Default value | Pkcs8 |
| Accept pipeline input? | false |
| Accept wildcard characters? | False |
-Certificate <X509Certificate2>
Specifies an existing X509Certificate2 object that contains associated exportable private key.
| Required? | True |
| Position? | 0 |
| Default value | |
| Accept pipeline input? | false |
| Accept wildcard characters? | False |
-IncludeChain <SwitchParameter>
Attempts to build the certificate chain and exports them to PEM file along with private key.
| Required? | False |
| Position? | named |
| Default value | |
| Accept pipeline input? | false |
| Accept wildcard characters? | False |
<CommonParameters>
This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, InformationAction, InformationVariable,
WarningAction, WarningVariable, OutBuffer, PipelineVariable and OutVariable.
For more information, see about_CommonParameters (https://go.microsoft.com/fwlink/?LinkID=113216).
Inputs
System.Security.Cryptography.X509Certificates.X509Certificate2
Outputs
None.
Notes
Examples
Example 1
PS C:\> $pass = Read-Host "Enter password for PFX file:" -AsSecureString PS C:\> Convert-PfxToPem -InputPath c:\test\ssl.pfx -Password $pass -OutputPath c:\test\ssl.pem
In this example, ssl.pfx file is converted to PEM format. Public certificate and associated private key are saved in the same file. Private key is encoded in PKCS#8 format.
Example 2
PS C:\> Convert-PfxToPem -InputPath c:\test\ssl.pfx -Password (ConvertTo-SecureString 'P@ssw0rd' -AsPlainText -Force) -OutputPath c:\test\ssl.pem -OutputType Pkcs1
Similar to previous example which can be used in quiet mode.
In this example, ssl.pfx file is converted to PEM format. Public certificate and associated private key are saved in the same file. Private key is encoded in PKCS#1 format.
Example 3
PS C:\> $cert = @(Get-ChildItem cert:\LocalMachine\My | Where-Object {$_.Subject -like "*www.company.com*"})[0]
PS C:\> Convert-PfxToPem -Certificate $cert -OutputPath c:\test\ssl.pem -IncludeChain
In this example, the certificate is retrieved from local certificate store and converted PEM is saved to 'ssl.pem' file. Private key is converted to PKCS#8 format. Resulted file will contain: PKCS#8 private key, leaf certificate and all available intermediate CA certificates, including Root CA certificate if applicable.
Related links
Minimum PowerShell version support
- Windows PowerShell 3.0
Operating System Support
- Windows 7
- Windows 8
- Windows 8.1
- Windows 10
- Windows 11
- Windows Server 2008 R2 all editions
- Windows Server 2012 all editions
- Windows Server 2012 R2 all editions
- Windows Server 2016 all editions
- Windows Server 2019 all editions
- Windows Server 2022 all editions