This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(131.20000000000002, 15%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EML%3C/text%3E%3C/svg%3E)
I have been trying to create a rootCA and intermediate CA which signs the certs using powershell on Windows 10
When I try to check the QA1KeyCARoot.key, I m getting an error unable to load private key.
Question:
Is this the right way to extract the key from the pfx file using powershell? The pfx should contain both certificate and private key of rootCA
$CertRootCAFilePFX = Export-PfxCertificate -Cert cert:\LocalMachine\My$RootCAthumbprint -FilePath C:\Users\KeyCARoot.pfx -Password $CertRootCAPassword
How do I get the chain in pem from the commands?
Thanks
Root CA
$RootCA = New-SelfSignedCertificate -Subject 'CN=KeyCARootCN,O=Test Organisation, OU=Test RootCA,C=AU' -KeyLength 2048 -KeyAlgorithm 'RSA' -HashAlgorithm 'SHA256' -KeyExportPolicy Exportable -KeyUsage KeyEncipherment,DataEncipherment,CertSign,DigitalSignature,CRLSign -Provider 'Microsoft Enhanced RSA and AES Cryptographic Provider' -NotAfter (Get-Date).AddYears(40) -KeyUsageProperty All -TextExtension @(“2.5.29.19 ={critical} {text}ca=1&pathlength=5”) -CertStoreLocation Cert:\LocalMachine\My
$RootCA
$RootCAthumbprint = $RootCA.Thumbprint
$CertRootCAPassword = ConvertTo-SecureString -String “Test123” -Force –AsPlainText
$CertRootCAFilePFX = Export-PfxCertificate -Cert cert:\LocalMachine\My\$RootCAthumbprint -FilePath C:\Users\KeyCARoot.pfx -Password $CertRootCAPassword
$CertRootCAFileCER = Export-Certificate -Cert $RootCA -FilePath C:\Users\KeyCARoot.cer
$CertRootCAFileCER
$CertRootCAPath = 'C:\Users\KeyCARoot.cer'
Import-Certificate -FilePath C:\Users\KeyCARoot.cer -CertStoreLocation Cert:\LocalMachine\Root
Intermediate CA
$InterCA = New-SelfSignedCertificate -Subject 'CN=KeyInterCARootCN,O=Test Organisation, OU=Test InterCA,C=AU' -Signer $RootCA -KeyLength 2048 -HashAlgorithm 'SHA256' -KeyExportPolicy Exportable -KeyUsage KeyEncipherment,DataEncipherment,CertSign,DigitalSignature,CRLSign -Provider 'Microsoft Enhanced RSA and AES Cryptographic Provider' -NotAfter (Get-Date).AddYears(35) -KeyUsageProperty Sign -TextExtension @(“2.5.29.19 = {critical} {text}ca=1&pathlength=0”) -CertStoreLocation Cert:\LocalMachine\My
$InterCAthumbprint = $InterCA.Thumbprint
$CertInterCAPassword = ConvertTo-SecureString -String “Test123” -Force –AsPlainText
$CertInterCAFilePFX = Export-PfxCertificate -Cert cert:\LocalMachine\My\$InterCAthumbprint -FilePath C:\Users\KeyInterCARoot.pfx -Password $CertInterCAPassword
$CertInterCAFileCER = Export-Certificate -Cert $InterCA -FilePath C:\Users\KeyInterCARoot.cer
$CertInterCAFileCER
Import-Certificate -FilePath C:\Users\KeyInterCARoot.cer -CertStoreLocation Cert:\LocalMachine\CA
Then
openssl pkcs12 -in KeyCARoot.pfx -nocerts -nodes -passin pass:Test123 | sed -ne "/-BEGIN PRIVATE KEY-/,/-END PRIVATE KEY-/p" > KeyCARoot.key
openssl pkcs12 -in KeyInterCARoot.pfx -nocerts -nodes -passin pass:Test123 | sed -ne "/-BEGIN PRIVATE KEY-/,/-END PRIVATE KEY-/p" > KeyInterCARoot.key
openssl x509 -inform der -in KeyCARoot.cer -out KeyCARoot.pem
openssl x509 -inform der -in KeyInterCARoot.cer -out KeyInterCARoot.pem
Ran the following:
openssl rsa -modulus -noout -in KeyCARoot.key
openssl : unable to load Private Key
At line:1 char:1
openssl rsa -modulus -noout -in KeyCARoot.key
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
CategoryInfo : NotSpecified: (unable to load Private Key:String) [], RemoteException
FullyQualifiedErrorId : NativeCommandError
8924:error:0909006C:PEM routines:get_name:no start line:crypto\pem\pem_lib.c:745:Expecting: ANY PRIVATE KEY
I have removed the Bag attributes in the .key file Bag Attributes
Microsoft Local Key set: <No Values>
localKeyID: 01 00 00 00
friendlyName: te-3737d2a6-b5dc-4d63-b680-68a42d8080a0
Microsoft CSP Name: Microsoft Enhanced RSA and AES Cryptographic Provider
Key Attributes
X509v3 Key Usage: 10
-----BEGIN PRIVATE KEY-----
....
...
-----BEGIN PRIVATE KEY-----
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Hi,
Have you tried to remove the BOM header from the key?
Best Regards,
Ian
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
@Anonymous Thanks.. Yes I saw the same post and did it and it works. Can you please advise how this can be done using the command line rather than manually doing it via Notepad++ encoding?
See if this works
$path = "C:\NoBomRoot.key"
$file = Get-Content C:\Root.key
[System.IO.File]::WriteAllLines($path, $file)