PowerShell PKI Module Documentation
Documentation HomeConvert-PemToPfx
Synopsis
Converts PEM (Privacy Enhanced Mail) certificate with embedded private key to a PKCS#12/PFX file.
Syntax
Convert-PemToPfx [-InputPath] <String> [-KeyPath <String>] [-OutputPath <String>] [-KeySpec <X509KeySpecFlags>] [-Password <SecureString>] [-ProviderName <String>] [-StoreLocation <StoreLocation>] [-Install] [<CommonParameters>]
Description
Converts PEM (Privacy Enhanced Mail) certificate with embedded private key to a PKCS#12/PFX file. PEM files are Base64-encoded files with PKCS#1 or PKCS#8 private key material. Windows natively does not support PKCS#1 and PKCS8 private key formats and this command allows you to perform such conversion. The command supports external private key files (when certificate and associated private key are stored in separate files). Depending on parameters, the command can: save PFX to a file, install PFX to certificate store or combine both operations by installing the certificate to certificate store and saving certificate to PFX file.
PEM file must be encoded in Base64 encoding and should have the following contents. PEM file must contain digital certificate at minimum and the contents is:
-----BEGIN CERTIFICATE-----
<Base64-encoded certificate>
-----END CERTIFICATE-----
alternatively, PEM file may contain private key or it must be stored in separate file. Private key must be either PKCS#1 or PKCS#8. The following example illustrates PKCS#1 private key headers:
-----BEGIN RSA PRIVATE KEY-----
<Base64-encoded PKCS#1 private key>
-----END RSA PRIVATE KEY-----
The following example illustrates PKCS#8 private key headers:
-----BEGIN PRIVATE KEY-----
<Base64-encoded PKCS#8 private key>
-----END PRIVATE KEY-----
any external information outside cryptographic headers is silently ignored.
Note: currently the command do not support quiet mode and must be called in interactive mode. You will be prompted for password to protect PFX and it cannot be scripted.
Parameters
-InputPath <String>
Specifies the path to a PEM file. If PEM file contains only public certificate, the KeyPath parameter is required.
Required? | True |
Position? | 0 |
Default value | |
Accept pipeline input? | false |
Accept wildcard characters? | False |
-KeyPath <String>
Specifies the path to a private key file if public certificate and associated private key are stored in separate files.
Required? | False |
Position? | named |
Default value | |
Accept pipeline input? | false |
Accept wildcard characters? | False |
-OutputPath <String>
Specifies the path for resulting PKCS#12/PFX file. If you want to install the certificate to certificate store without intermediate PFX file, you can omit this parameter and use '-Install' parameter instead.
Required? | False |
Position? | named |
Default value | |
Accept pipeline input? | false |
Accept wildcard characters? | False |
-KeySpec <X509KeySpecFlags>
Specifies the intended key purpose. Can be either 'AT_EXCHANGE' (default value) or 'AT_SIGNATURE'. SSL and encryption certificates use 'AT_EXCHANGE' key purpose. Code signing and authentication certificates usually use 'AT_SIGNATURE' key purpose.
Required? | False |
Position? | named |
Default value | Exchange |
Accept pipeline input? | false |
Accept wildcard characters? | False |
-Password <SecureString>
Specifies the password for PFX file. This parameter is ignored if '-OutputPath' is not specified.
Required? | False |
Position? | named |
Default value | |
Accept pipeline input? | false |
Accept wildcard characters? | False |
-ProviderName <String>
Specifies the cryptographic service provider name where to import the key. Currently, only legacy and CAPI smart card providers are supported. Key Storage Providers (KSP) are not supported in this version.
Required? | False |
Position? | named |
Default value | Microsoft Software Key Storage Provider |
Accept pipeline input? | false |
Accept wildcard characters? | False |
-StoreLocation <StoreLocation>
Specifies the store location where the certificate is installed. This parameter is ignored if '-Install' parameter is not specified.
Required? | False |
Position? | named |
Default value | CurrentUser |
Accept pipeline input? | false |
Accept wildcard characters? | False |
-Install <SwitchParameter>
Specifies whether the certificate needs to be installed in the certificate store. If specified, the certificate is installed in the Personal (My) container of the store specified in the 'StoreLocation' parameter.
Required? | False |
Position? | named |
Default value | |
Accept pipeline input? | false |
Accept wildcard characters? | False |
<CommonParameters>
This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, InformationAction, InformationVariable,
WarningAction, WarningVariable, OutBuffer, PipelineVariable and OutVariable.
For more information, see about_CommonParameters (https://go.microsoft.com/fwlink/?LinkID=113216).
Inputs
None.
Outputs
System.Security.Cryptography.X509Certificates.X509Certificate2
Notes
Examples
Example 1
PS C:\> $password = Read-Host -Prompt "Enter PFX password" -AsSecureString PS C:\> Convert-PemToPfx -InputPath C:\test\ssl.pem -OutputPath c:\test\ssl.pfx -Password $password
In this example, ssl.pem file is converted to PFX file and saved to ssl.pfx file. This example assumes that public certificate and associated private key are stored in the same file.
Example 2
PS C:\> $password = ConvertTo-SecureString "P@ssW0rD!" -asplaintext -force PS C:\> Convert-PemToPfx -InputPath C:\test\ssl.pem -KeyPath c:\test\ssl.key -OutputPath c:\test\ssl.pfx -Password $password
In this example, ssl.pem file is converted to PFX file and saved to ssl.pfx file. This example assumes that public certificate and associated private key are stored in separate files.
Example 3
PS C:\> Convert-PemToPfx -InputPath C:\test\ssl.pem -Install -StoreLocation "LocalMachine"
In this example, ssl.pem file is converted to in-memory PFX object and is imported to "Local Machine\Personal" (Cert:\LocalMachine\My) certificate store. No PFX file is generated.
Related links
Minimum PowerShell version support
- Windows PowerShell 3.0
Operating System Support
- Windows 7
- Windows 8
- Windows 8.1
- Windows 10
- Windows Server 2008 R2 all editions
- Windows Server 2012 all editions
- Windows Server 2012 R2 all editions
- Windows Server 2016 all editions