PowerShell PKI Module Documentation

Documentation Home

Convert-PemToPfx

Synopsis

Converts PEM (Privacy Enhanced Mail) certificate with embedded private key to a PKCS#12/PFX file.

Syntax

Convert-PemToPfx [-InputPath] <String> [-KeyPath <String>] [-OutputPath <String>] [-KeySpec <X509KeySpecFlags>] [-Password <SecureString>] [-ProviderName <String>] [-StoreLocation <StoreLocation>] [-Install] [<CommonParameters>]

Description

Converts PEM (Privacy Enhanced Mail) certificate with embedded private key to a PKCS#12/PFX file. PEM files are Base64-encoded files with PKCS#1 or PKCS#8 private key material. Windows natively does not support PKCS#1 and PKCS8 private key formats and this command allows you to perform such conversion. The command supports external private key files (when certificate and associated private key are stored in separate files). Depending on parameters, the command can: save PFX to a file, install PFX to certificate store or combine both operations by installing the certificate to certificate store and saving certificate to PFX file.

PEM file must be encoded in Base64 encoding and should have the following contents. PEM file must contain digital certificate at minimum and the contents is:

-----BEGIN CERTIFICATE-----
<Base64-encoded certificate>
-----END CERTIFICATE-----

alternatively, PEM file may contain private key or it must be stored in separate file. Private key must be either PKCS#1 or PKCS#8. The following example illustrates PKCS#1 private key headers:

-----BEGIN RSA PRIVATE KEY-----
<Base64-encoded PKCS#1 private key>
-----END RSA PRIVATE KEY-----

The following example illustrates PKCS#8 private key headers:

-----BEGIN PRIVATE KEY-----
<Base64-encoded PKCS#8 private key>
-----END PRIVATE KEY-----

any external information outside cryptographic headers is silently ignored.

Note: currently the command do not support quiet mode and must be called in interactive mode. You will be prompted for password to protect PFX and it cannot be scripted.

Parameters

-InputPath <String>

Specifies the path to a PEM file. If PEM file contains only public certificate, the KeyPath parameter is required.

Required? True
Position? 0
Default value
Accept pipeline input? false
Accept wildcard characters? False

-KeyPath <String>

Specifies the path to a private key file if public certificate and associated private key are stored in separate files.

Required? False
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? False

-OutputPath <String>

Specifies the path for resulting PKCS#12/PFX file. If you want to install the certificate to certificate store without intermediate PFX file, you can omit this parameter and use '-Install' parameter instead.

Required? False
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? False

-KeySpec <X509KeySpecFlags>

Specifies the intended key purpose. Can be either 'AT_EXCHANGE' (default value) or 'AT_SIGNATURE'. SSL and encryption certificates use 'AT_EXCHANGE' key purpose. Code signing and authentication certificates usually use 'AT_SIGNATURE' key purpose.

Required? False
Position? named
Default value Exchange
Accept pipeline input? false
Accept wildcard characters? False

-Password <SecureString>

Specifies the password for PFX file. This parameter is ignored if '-OutputPath' is not specified.

Required? False
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? False

-ProviderName <String>

Specifies the cryptographic service provider name where to import the key. Currently, only legacy and CAPI smart card providers are supported. Key Storage Providers (KSP) are not supported in this version.

Required? False
Position? named
Default value Microsoft Software Key Storage Provider
Accept pipeline input? false
Accept wildcard characters? False

-StoreLocation <StoreLocation>

Specifies the store location where the certificate is installed. This parameter is ignored if '-Install' parameter is not specified.

Required? False
Position? named
Default value CurrentUser
Accept pipeline input? false
Accept wildcard characters? False

-Install <SwitchParameter>

Specifies whether the certificate needs to be installed in the certificate store. If specified, the certificate is installed in the Personal (My) container of the store specified in the 'StoreLocation' parameter.

Required? False
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? False

<CommonParameters>

This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, InformationAction, InformationVariable,
WarningAction, WarningVariable, OutBuffer, PipelineVariable and OutVariable.
For more information, see about_CommonParameters (https://go.microsoft.com/fwlink/?LinkID=113216).

Inputs

None.

Outputs

System.Security.Cryptography.X509Certificates.X509Certificate2

Notes

Examples

Example 1

PS C:\> $password = Read-Host -Prompt "Enter PFX password" -AsSecureString
PS C:\> Convert-PemToPfx -InputPath C:\test\ssl.pem -OutputPath c:\test\ssl.pfx -Password $password

In this example, ssl.pem file is converted to PFX file and saved to ssl.pfx file. This example assumes that public certificate and associated private key are stored in the same file.

Example 2

PS C:\> $password = ConvertTo-SecureString "P@ssW0rD!" -asplaintext -force
PS C:\> Convert-PemToPfx -InputPath C:\test\ssl.pem -KeyPath c:\test\ssl.key -OutputPath c:\test\ssl.pfx -Password $password

In this example, ssl.pem file is converted to PFX file and saved to ssl.pfx file. This example assumes that public certificate and associated private key are stored in separate files.

Example 3

PS C:\> Convert-PemToPfx -InputPath C:\test\ssl.pem -Install -StoreLocation "LocalMachine"

In this example, ssl.pem file is converted to in-memory PFX object and is imported to "Local Machine\Personal" (Cert:\LocalMachine\My) certificate store. No PFX file is generated.

Related links

Convert-PfxToPem

Minimum PowerShell version support

  • Windows PowerShell 3.0

Operating System Support

  • Windows 7
  • Windows 8
  • Windows 8.1
  • Windows 10
  • Windows Server 2008 R2 all editions
  • Windows Server 2012 all editions
  • Windows Server 2012 R2 all editions
  • Windows Server 2016 all editions