Convert .PFX to.CER with PowerShell

Another simple but effective thing you can do with PowerShell that might come in handy.
Some applications only require a .cer certificate file without the private key, so you don't need to hand over the password for the .pfx file with the private key. From a security point of view you never leave password's for private keys floating around.

So this is a quick way to export the certificate to only a .cer file.

This can be used from Windows server 2012 and up, and Windows 8 and up:

Get-PfxCertificate -FilePath InputBundle.pfx | Export-Certificate -FilePath OutputCert.cer -Type CERT

You'll be asked to enter the password for the pfx file and the .cer file will be written in the specified path.

Simple as that, and you don't need OpenSSL, not for this task anyway 😉

How to cleanup expired certificates from a Microsoft CA with PowerShell and Shrink the DB

This a shameless copy of the original post by André Gibel over at https://www.gibel.net/

The reason why I copied it is because there is very little info on this subject and even though the post is from 2014, it still applies today.

Regularly (depending on the number of issued certificates) you have to perform a clean-up of expired certificates from your CA (Certification Authority) DB and then shrink the DB to get rid of the “white space”.

You have to perform the following 3 steps in order:
1. Make a backup of your CA DB (protected with a password) to another Server / medium

- this backup also "removes" the maybe hundres of db log files (each of the has a size of 1 MB) – in my case 828

2.      Clean-up all expired certificates from all 4 categories  with my PowerShell Script

- in a first step it's the best to run the script in a "view only" modus to see which certificates would be deleted
- the script and all the details are explained below.

3.      Shrink your CA database to get rid of the “whitespace”

- for this you use the esentutl tool with the “/d” (= defragmentation) option

Before executing the esentutl command stop the AD Certificate service and disable it

- run the following command with the path to the .edb DB file

- at the end the DB - file is more than 100 MB smaller than before, depending on the size your database is.

- at this point you have to enable and start the CA Service again

Here I explain the PowerShell script in detail (the script is used in step 2)

The Microsoft Enterprise CA I’m responsible for is running on a Microsoft Windows Server 2008 Enterprise Server

- with PowerShell 2.0 installed
- no 3rd party PS modules are used
- the certutil.exe is used by the PowerShell (PS) script
- the PS script I created is "Cleanup_MSPKI_Cert_v1.1.ps1" and contains 3 functions

On this CA Server in the C:\ root drive I create a folder “_scripts “ (I don’t use PS remoting) and copy my PowerShell script “Cleanup_MSPKI_Cert_v1.1.ps1” into this folder

Per default the functions "Remove-ExpiredCertFromDB" writes the temporary files to a subfolder within C:\_scripts\PKICleanupLog.

You can change this default folder path with the parameter  “CleanedFolderLogPath”

The 3 functions I have implemented are:

A.) Get-PublishedCATemplate
B.) Get-IssuedCert
C.) Remove-ExpiredCertFromDB

A.) Get-PublishedCATemplate

When you run this function without a parameter, it displays all Templates from the "Certificate Templates" folder with it's OID. This OID is used by the other to functions to display or delete certificates issued with this certain template. In the following picture you see the corresponding templates from the PKI Snap In

function Get-PublishedCATemplate{             

    [CmdletBinding()]

    Param (

        [parameter()]

        [string]$filter   

    )      

    $FilterLen = ("msPKI-Cert-Template-OID =").length+3   

    $AllPublishedTemplates = Invoke-Expression "certutil.exe –catemplates –v | select-string msPKI-Cert-Template-OID"     

    $AllPublishedTemplates | foreach{       

        $tmp= ($_.line).Substring($FilterLen)       

        $splitarr = $tmp.split(" ",2)     

        $obj = New-Object PSObject                                     

        Add-Member -Input $obj -Name "name" -MemberType Noteproperty -Value $Splitarr[1].trim()

        Add-Member -Input $obj -Name "oid" -MemberType Noteproperty -Value $Splitarr[0].trim()              

        if ($PSBoundParameters["filter"]){  

            if ($Splitarr[1].trim() -match $filter){

                write-output $obj             

            }

        }

        else{

            write-output $obj             

        }

    }              

}

Below I run the script with the -filter parameter and so I only get templates with “SCCM” in their name

I assign the oid of ONE template (=> change filter that you get only one result)  to the variable WSTemplate

$WSTemplate = (Get-PublishedCATemplate -filter workstation).oid

B.) Get-IssuedCert

With this function  you can list the certificates  issued from all templates or a certain template (specified with it’s oid = $CertTemplate variable)  which are issued beginning at a certain date.

 function Get-IssuedCert{

  [CmdletBinding()]

  Param (

    [ValidatePattern('^([0-9\.\s])+$')]

    [string]$CertTemplate,

    [ValidatePattern('^\d\d[\./]{1}\d\d[\./]{1}\d\d\d\d$')]

    [string]$Date

  )

  if ($PSBoundParameters["CertTemplate"]){   

    Invoke-Expression "certutil.exe -view -restrict 'certificate template=$CertTemplate,disposition=20,notbefore>=$Date' -out 'Request.RequestID,Request.RequesterName,NotBefore,NotAfter,Request.Disposition'"       

  }

  else {

    # displays Certificates issued with any custom template   

    Invoke-Expression "certutil.exe -view -restrict 'disposition=20,notbefore>=$Date' -out 'Request.RequestID,Request.RequesterName,NotBefore,NotAfter,Request.Disposition'"             

  }

}

 

The following example lists all  29 certificates (from ALL templates) issued from 18 December 2014 and later …. (with this version it’s not possible to select a time range / only a “start-date”)

Get-IssuedCert  -Date 18.12.2014

The following example lists ONLY the 3 certificates which are issued with the Template $WSTemplate (OID of  “…- Workstation – Authentication Certificate”) beginning December 18. 2014

$WSTemplate = (Get-PublishedCATemplate -filter workstation).oid
Get-IssuedCert -CertTemplate $WSTemplate -Date 18.12.2014

C.) Remove-ExpiredCertFromDB

This is an advanced function and all available parameters are displayed with the get-help command

- the expired certificates to view (1st step) and then delete are in one of 4 folders

- I select this “folder” with the -state parameter

- the script creates a log file (also needed for further parsing) in a separate folder

These folders are created automatically if they don’t exist yet.
In a first step always run the cmdlet without the "-delete" parameter so nothing is really deleted.
I also recommend the ISE instead of the shell.
And I also always run this cmdlet with the “-verbose” parameter.

The following example displays all issued (and expired) certificates till 18.12.2014  --- they are not really deleted yet.

Remove-ExpiredCertFromDB -State issued -Date 18.12.2014  -Verbose 

Without the -delete switch parameter the log file has "-ViewOnly" in it’s name

Below is the output from the example above / 396 entries “would be” deleted from the “issued folder” (or category) if you run the cmdlet with “-delete”

The following example lists / deletes  certificates from a certain (workstation authentication) template expired up to 18 december 2014

$WSTemplate = (Get-PublishedCATemplate -filter workstation).oid
Remove-ExpiredCertFromDB -State issued -CertTemplate $WSTemplate -Date 18.12.2014 -Verbose

With the added-delete switch parameter you really delete the entries. 
This step can take some time if there are a lot of entries.

$WSTemplate = (Get-PublishedCATemplate -filter workstation).oid
Remove-ExpiredCertFromDB -State issued -CertTemplate $WSTemplate -Date 18.12.2014 -Verbose -delete

The output at the end (and the log file)

When  you run the same cmdlet again, you see that there aren’t any entries to delete from the DB

The latest (full) version of this script with the 3 functions you can download from the Microsoft Script Gallery: go to download

DirectDownload link

Since TechNet is retired and will be taken offline any time soon a backup can be downloaded here:

Cleanup_MSPKI_Cert_v1.2.ps1

How to create key file and certificate file from pfx - Openssl

Install the Windows version of Openssl from:
https://slproweb.com/download/Win64OpenSSL-3_1_2.msi

Open a command prompt window in c:\Program Files\OpenSSL\Bin
(or even better, add Openssl to your Path)

Then type:

For the key file:
openssl pkcs12 -in [yourfile.pfx] -nocerts -out [keyfile-encrypted.key]
Example:
openssl pkcs12 -in c:\temp\mycertificate.pfx -nocerts -out c:\temp\keyfile-mycertificate.key

You will be asked for the pfx password (import password), and then asked to enter a password for the .key file (PEM pass phrase)

For the certificate:
openssl pkcs12 -in [yourfile.pfx] -clcerts -nokeys -out [certificate.crt]
Example:
openssl pkcs12 -in c:\temp\mycertificate.pfx -clcerts -nokeys -out c:\temp\certificate-mycertificate.crt

You will only be asked for the pfx password (import password) since the private key will not be exported.

And for .pfx to .pem

openssl pkcs12 -in file.pfx -out file.nokey.pem -nokeys 

openssl pkcs12 -in file.pfx -out file.withkey.pem

Convert x509 to PEM

openssl x509 -in certificatename.cer -outform PEM -out certificatename.pem

Convert PEM to DER

openssl x509 -outform der -in certificatename.pem -out certificatename.der

Convert DER to PEM

openssl x509 -inform der -in certificatename.der -out certificatename.pem

Convert PEM to P7B

Note: The PKCS#7 or P7B format is stored in Base64 ASCII format and has a file extension of .p7b or .p7c.
A P7B file only contains certificates and chain certificates (Intermediate CAs), not the private key. The most common platforms that support P7B files are Microsoft Windows and Java Tomcat.

openssl crl2pkcs7 -nocrl -certfile certificatename.pem -out certificatename.p7b -certfile CACert.cer

Convert PKCS7 to PEM

openssl pkcs7 -print_certs -in certificatename.p7b -out certificatename.pem

Convert pfx to PEM

Note: The PKCS#12 or PFX format is a binary format for storing the server certificate, intermediate certificates, and the private key in one encryptable file. PFX files usually have extensions such as .pfx and .p12. PFX files are typically used on Windows machines to import and export certificates and private keys.

openssl pkcs12 -in certificatename.pfx -out certificatename.pem

Convert PFX to PKCS#8
Note: This requires 2 commands

STEP 1: Convert PFX to PEM

openssl pkcs12 -in certificatename.pfx -nocerts -nodes -out certificatename.pem

STEP 2: Convert PEM to PKCS8

openSSL pkcs8 -in certificatename.pem -topk8 -nocrypt -out certificatename.pk8

Convert P7B to PFX
Note: This requires 2 commands

STEP 1: Convert P7B to CER

openssl pkcs7 -print_certs -in certificatename.p7b -out certificatename.cer

STEP 2: Convert CER and Private Key to PFX

openssl pkcs12 -export -in certificatename.cer -inkey privateKey.key -out certificatename.pfx -certfile  cacert.cer

Or:

openssl pkcs12 -export -out domain.name.pfx -inkey domain.name.key -in domain.name.crt

Or with intermediate and root:
openssl pkcs12 -export -out domain.name.pfx -inkey domain.name.key -in domain.name.crt -in intermediate.crt -in rootca.crt

error code: dlg_flags_sec_cert_cn_invalid - The hostname in the website's certificate differs from the website you are trying to visit

This was one error that I couldn't find a definitive answer for after searching the error:

error code: dlg_flags_sec_cert_cn_invalid - The hostname in the website's certificate differs from the website you are trying to visit

Long story short, in my case this came down to the "Common name" or "CN" in the certificate.
I had created the cert with a CN and some SAN names like so:

CN=application.domain.lan

SAN=application.domain.lan
SAN=application
SAN=servername.domain.lan
SAN=servername
SAN=applicationalias.domain.lan
SAN=applicationalias

Internet Explorer 11, Edge, Chrome and Firefox all tripped over the Common name.
If I typed in the browser: "https://application" the error did not appear. So my conclusion is that the webserver doesn't interpret the domain suffix stated in the common name.

So I recreated the certificate with the Common name: "application".
Binded it in IIS, iisrestart and reloaded the site in IE and behold no more errors.

How to restore a private key in IIS 7.0 or IIS 8.0

The following instructions apply to Windows Server 2008 (IIS 7.0) & Windows Server 2012 (IIS 8.0). Perform the following steps to restore the private key.

Import SSL certificate into the Personal > Certificates folder

Create a Certificates snap-in in a MMC console, refer to solution SO9999.

From the top left-hand pane, expand the Certificates tree, expand the Personal folder

Right-click the Certificates sub folder and select All Tasks > Import

The Certificate Import Wizard opens. Click Next

Click Browse and then navigate to the SSL certificate file.

Click Open > Next

Ensure "Place all certificates in the following store" is selected, ensure that "Personal" is listed for the certificate store.

Click Next > Finish

Import the Intermediate Certificate into the Intermediate Certification Authorities > Certificates folder

Download the correct Intermediate CA certificate, refer to article INFO1421.

From the left pane, expand the Intermediate Certification Authorities folder

Right-click on the Certificates sub folder

Select All Tasks > Import - A Certificate Import Wizard will open.

Click Next

Click Browse and then navigate to the Intermediate CA Certificate file

Click Next

Select Place all certificates in the following store: Intermediate Certification Authorities

Click Next

Click Finish 

Restore Private Key

With the MMC console still open, select the Certificates folder inside the Personal folder in the left-hand pane.

Double-click the newly imported SSL certificate in the right-hand pane, then select the Details tab.

Scroll down and select the Thumbprint field, then select and copy the entire thumbprint (in the bottom box) to the clipboard.

Open a command prompt, then enter the following command:

certutil -repairstore my "<thumbprint>"

Example:

certutil -repairstore my "00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f"

If successful, the response will be "CertUtil: -repairstore command completed successfully"

Assign SSL certificate in IIS

Go to > Start > Administrative Tools > Internet Information Services (IIS) Manager.

From the Connections pane on the left, expand the local server, expand the Sites folder and select the web site to be secured with SSL.

From the Actions pane on the right, select the Bindings option under Edit Site.

In the Site Bindings window, select an existing https binding and click Edit. If there are no existing https bindings, click Add.

Ensure the type is set to 'https', then select the new SSL certificate from the drop down menu.

Click the View button to confirm details of the certificate.

Click OK > Close