Share via

Powershell Export-PfxCertificate unable to load private key from pfx

Melissa Lee 6 Reputation points
2020-11-13T21:38:59.663+00:00

I have been trying to create a rootCA and intermediate CA which signs the certs using powershell on Windows 10
When I try to check the QA1KeyCARoot.key, I m getting an error unable to load private key.
Question:

Is this the right way to extract the key from the pfx file using powershell? The pfx should contain both certificate and private key of rootCA

$CertRootCAFilePFX = Export-PfxCertificate -Cert cert:\LocalMachine\My$RootCAthumbprint -FilePath C:\Users\KeyCARoot.pfx -Password $CertRootCAPassword

How do I get the chain in pem from the commands?

Thanks

Root CA
$RootCA = New-SelfSignedCertificate -Subject 'CN=KeyCARootCN,O=Test Organisation, OU=Test RootCA,C=AU' -KeyLength 2048 -KeyAlgorithm 'RSA' -HashAlgorithm 'SHA256' -KeyExportPolicy Exportable -KeyUsage KeyEncipherment,DataEncipherment,CertSign,DigitalSignature,CRLSign -Provider 'Microsoft Enhanced RSA and AES Cryptographic Provider' -NotAfter (Get-Date).AddYears(40) -KeyUsageProperty All -TextExtension @(“2.5.29.19 ={critical} {text}ca=1&pathlength=5”) -CertStoreLocation Cert:\LocalMachine\My
$RootCA
$RootCAthumbprint = $RootCA.Thumbprint

$CertRootCAPassword = ConvertTo-SecureString -String “Test123” -Force –AsPlainText
$CertRootCAFilePFX = Export-PfxCertificate -Cert cert:\LocalMachine\My\$RootCAthumbprint -FilePath C:\Users\KeyCARoot.pfx -Password $CertRootCAPassword

$CertRootCAFileCER = Export-Certificate -Cert $RootCA -FilePath C:\Users\KeyCARoot.cer

$CertRootCAFileCER
$CertRootCAPath = 'C:\Users\KeyCARoot.cer'
Import-Certificate -FilePath C:\Users\KeyCARoot.cer -CertStoreLocation Cert:\LocalMachine\Root
Intermediate CA
$InterCA = New-SelfSignedCertificate -Subject 'CN=KeyInterCARootCN,O=Test Organisation, OU=Test InterCA,C=AU' -Signer $RootCA -KeyLength 2048 -HashAlgorithm 'SHA256' -KeyExportPolicy Exportable -KeyUsage KeyEncipherment,DataEncipherment,CertSign,DigitalSignature,CRLSign -Provider 'Microsoft Enhanced RSA and AES Cryptographic Provider' -NotAfter (Get-Date).AddYears(35) -KeyUsageProperty Sign -TextExtension @(“2.5.29.19 = {critical} {text}ca=1&pathlength=0”) -CertStoreLocation Cert:\LocalMachine\My
$InterCAthumbprint = $InterCA.Thumbprint

$CertInterCAPassword = ConvertTo-SecureString -String “Test123” -Force –AsPlainText
$CertInterCAFilePFX = Export-PfxCertificate -Cert cert:\LocalMachine\My\$InterCAthumbprint -FilePath C:\Users\KeyInterCARoot.pfx -Password $CertInterCAPassword

$CertInterCAFileCER = Export-Certificate -Cert $InterCA -FilePath C:\Users\KeyInterCARoot.cer

$CertInterCAFileCER
Import-Certificate -FilePath C:\Users\KeyInterCARoot.cer -CertStoreLocation Cert:\LocalMachine\CA
Then

openssl pkcs12 -in KeyCARoot.pfx -nocerts -nodes -passin pass:Test123 | sed -ne "/-BEGIN PRIVATE KEY-/,/-END PRIVATE KEY-/p" > KeyCARoot.key
openssl pkcs12 -in KeyInterCARoot.pfx -nocerts -nodes -passin pass:Test123 | sed -ne "/-BEGIN PRIVATE KEY-/,/-END PRIVATE KEY-/p" > KeyInterCARoot.key

openssl x509 -inform der -in KeyCARoot.cer -out KeyCARoot.pem
openssl x509 -inform der -in KeyInterCARoot.cer -out KeyInterCARoot.pem
Ran the following:

openssl rsa -modulus -noout -in KeyCARoot.key
openssl : unable to load Private Key
At line:1 char:1
openssl rsa -modulus -noout -in KeyCARoot.key
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
CategoryInfo : NotSpecified: (unable to load Private Key:String) [], RemoteException
FullyQualifiedErrorId : NativeCommandError
8924:error:0909006C:PEM routines:get_name:no start line:crypto\pem\pem_lib.c:745:Expecting: ANY PRIVATE KEY
I have removed the Bag attributes in the .key file Bag Attributes

Microsoft Local Key set: <No Values>
localKeyID: 01 00 00 00 
friendlyName: te-3737d2a6-b5dc-4d63-b680-68a42d8080a0
Microsoft CSP Name: Microsoft Enhanced RSA and AES Cryptographic Provider

Key Attributes
X509v3 Key Usage: 10
-----BEGIN PRIVATE KEY-----
....
...
-----BEGIN PRIVATE KEY-----

Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,837 questions
Windows Server PowerShell
Windows Server PowerShell
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.PowerShell: A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
5,524 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Ian Xue 36,936 Reputation points Microsoft Vendor
    2020-11-16T05:57:34.16+00:00

    Hi,

    Have you tried to remove the BOM header from the key?

    https://stackoverflow.com/questions/18460035/unable-to-load-private-key-pem-routinespem-read-biono-start-linepem-lib-c6

    Best Regards,
    Ian

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.