Exporting a certificate's private key to file (pem, cert, pfx) RRS feed

  • Question

  • I am doing some work with certificates and need to export a certificate (.cer) and private key (.pem or .key) to separate files. I can use the Export-PFXCertifiacte cmdlet to get a .pfx file with a password that contains both the certificate and the key, but I need to have the key as a separate file. Everything that I've found explains how to open the pfx and save the key with OpenSSL, XCA or KeyStore Explorer, but I am looking for a way to do this with just Powershell.

    I am getting the .cer file itself through Export-Certificate which is working well, it's just getting the key that I need help with. If there isn't a way to export it through a cmdlet, I could write it to a text file, but I'm not sure how to get the certificate's private key into the text file the correct way. The pem key file would look something like this:

    "Proc-Type: " + $procType
    "DEK-Info: " + $DEKInfo
    "-----END RSA PRIVATE KEY-----"

    I'm using Windows Server 2012 R2 & WMF 5.0. Any suggestions?

    • Edited by nocarsgo Friday, March 25, 2016 2:34 PM
    Friday, March 25, 2016 2:33 PM

All replies

  • Hi,
    Regarding to exporting private key to text file, I would suggest you have a try ConvertTo-SecureString cmdlet which converts encrypted standard strings to secure strings. It can also convert plain text to secure strings. It is used with ConvertFrom-SecureString and Read-Host. Please see the details from https://technet.microsoft.com/en-us/library/hh849818.aspx?f=255&MSPPError=-2147217396


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, March 28, 2016 6:41 AM
  • Hi Wendy,

    Thank you for the response! I have started to look into the CovertFrom and ConvertTo cmdlets, but I'm still not sure how to get the private key from the certificate object in the correct form to put in the .pem file. Here is what I have for making the certificate, exporting it and getting the encrypted private key.

    $newCert = Get-Certificate -Template $myNewTemplate -DnsName $newCertName -SubjectName ('CN=' + $newCertName) -CertStoreLocation 'Cert:\LocalMachine\My'
    Export-Certificate -Cert $newCert.Certificate.Thumbprint -FilePath ($certFolderPath + '\' + $newCertName + '.cer') -Type CERT
    $privKey = $newCert.Certificate.PrivateKey
    $secureKey = ConvertFrom-SecureString $privKey

    When I try to use ConvertFrom-SecureString I get this error because it isn't the correct type:

    ConvertFrom-SecureString : Cannot bind parameter 'SecureString'. Cannot convert the "System.Security.Cryptography.RSACryptoServiceProvider" value of type 
    "System.Security.Cryptography.RSACryptoServiceProvider" to type "System.Security.SecureString".

    Do you know what I need to do? Thanks for the help!

    Monday, March 28, 2016 2:31 PM
  • Hello nocarsgo,

    the below commands are in openssl and could be added to .ps1 ofcourse not PowerShell as you requested.

    ......but added few lines that may help to edit/append pem files in last 2 lines of below code

    assuming you already have a certified .cer

    #setting openssl env.
    $env:OPENSSL_CONF = "C:\RunSpace\openssl.cnf"
    #converting certified .cer (already generated) to .pem
    openssl x509 -inform der -in "C:\RunSpace\cert.cer" -out "C:\RunSpace\server-cert.pem"
    #generating a local key..
    openssl ecparam -out "C:\RunSpace\server-key.pem" -genkey -name prime256v1 -noout
    #Generating a new key with server-cert and server-key to server.pem
    Get-Content "C:\RunSpace\server-cert.pem" | Out-File "C:\RunSpace\server.pem" -Encoding ascii
    Get-Content "C:\RunSpace\server-key.pem" | Out-File "C:\RunSpace\server.pem" -Encoding ascii  -Append



    Tuesday, March 29, 2016 5:48 AM
  • Venu,

    Thank you for the reply! I am beginning to think that I may not be able to do what I want to do without using another tool in addition to powershell. I will look into using openssl and the code that you gave me to get what I need. Thank you!

    Tuesday, March 29, 2016 1:58 PM
  • It is not possible to copy certificates between systems directly.  You must have a file and the passkey to install the certificate. 


    • Proposed as answer by Wendy Jiang Thursday, March 31, 2016 8:32 AM
    • Marked as answer by Yan Li_ Wednesday, April 6, 2016 9:14 AM
    • Unmarked as answer by nocarsgo Friday, September 23, 2016 4:06 PM
    • Unproposed as answer by nocarsgo Friday, September 23, 2016 4:06 PM
    • Proposed as answer by MichaelBrunzlik Sunday, August 12, 2018 8:05 AM
    • Unproposed as answer by MichaelBrunzlik Sunday, August 12, 2018 8:05 AM
    • Proposed as answer by tjirka Tuesday, May 26, 2020 12:39 PM
    Tuesday, March 29, 2016 2:04 PM
  • For anyone finding this article, there is a way to export the individual components of .pfx certificate file, see http://www.serv-u.com/kb/2041/Extracting-Certificates-From-PFX-Files

    The above article gives the following commands from the openssl package:

    • openssl pkcs12 -in <your_existing_pfx_file>.pfx -clcerts -nokeys -out <cert_component>.crt
    • openssl pkcs12 -in <your_existing_pfx_file>.pfx -nocerts -out <key_component>.key

    Under Windows, the "cygwin" system is an alternative solution to PowerShell that provides the openssl package.

    Sunday, August 12, 2018 8:12 AM