Extract private key from pfx file or certificate store WITHOUT using OpenSSL on Windows

后端 未结 5 2387
孤街浪徒
孤街浪徒 2021-02-19 08:42

As the title suggests I would like to export my private key without using OpenSSL or any other third party tool. If I need a .cer file or .pfx file I c

相关标签:
5条回答
  • 2021-02-19 09:17

    If I understand correctly certutil should do it for you.

    certutil -exportPFX -p "ThePasswordToKeyonPFXFile" my [serialNumberOfCert] [fileNameOfPFx]

    0 讨论(0)
  • 2021-02-19 09:19

    The Key, when exportable, can be exported using several APIs to several formats. The most common would be PKCS#8 (industry standard) and XML (MSFT properitary afaik).

    Have a look at these answers:

    • Export CngKey in PKCS8 with encryption c#
    • C# (.NET) RSACryptoServiceProvider import/export x509 public key blob and PKCS8 private key blob
    • Convert RSACryptoServiceProvider RSA XML key to PKCS8
    • RSACng and CngKeyBlobFormat import and export formats
    0 讨论(0)
  • 2021-02-19 09:26

    Try something like this:

    $mypwd = ConvertTo-SecureString -String "MyPassword" -Force -AsPlainText
    $mypfx = Get-PfxData -FilePath C:\Users\oscar\Desktop\localhost.pfx -Password $mypwd
    Export-PfxCertificate -PFXData $mypfx -FilePath C:\Users\oscar\Desktop\localhost.pfx -Password $NewPwd
    
    0 讨论(0)
  • 2021-02-19 09:31

    Hm. Have you tried opening the cert store, and getting the private key that way? Pretty sure this will only work with RSA/DSA certs though.

    $store = New-Object System.Security.Cryptography.X509Certificates.X509Store([System.Security.Cryptography.X509Certificates.StoreName]::My,"localmachine")
    $store.Open("MaxAllowed")
    $cert = $store.Certificates | ?{$_.subject -match "^CN=asdasd"}
    $cert.PrivateKey.ToXmlString($false)
    $store.Close()
    
    
    0 讨论(0)
  • 2021-02-19 09:42

    I had the same problem and solved it with the help of PSPKI Powershell module from PS Gallery. While I understand that you look for a solution that preferably uses some built in functionality in Windows, installing a module from PS Gallery might be acceptable. At least it was in my case.

    First install the PSPKI module (I assume hat the PSGallery repository has already been set up):

    Install-Module -Name PSPKI
    

    The PSPKI module provides a Cmdlet Convert-PfxToPem which converts a pfx-file to a pem-file which contains the certificate and pirvate key as base64-encoded text:

    Convert-PfxToPem -InputFile C:\path\to\pfx\file.pfx -Outputfile C:\path\to\pem\file.pem
    

    Now, all we need to do is splitting the pem-file with some regex magic. For example, like this:

    (Get-Content C:\path\to\pem\file.pem -Raw) -match "(?ms)(\s*((?<privatekey>-----BEGIN PRIVATE KEY-----.*?-
    ----END PRIVATE KEY-----)|(?<certificate>-----BEGIN CERTIFICATE-----.*?-----END CERTIFICATE-----))\s*){2}"
    
    $Matches["privatekey"] | Set-Content "C:\path\to\key\file.pem"
    $Matches["certificate"] | Set-Content "C:\path\to\certificate\file.pem"
    
    0 讨论(0)
提交回复
热议问题