PSPKI icon indicating copy to clipboard operation
PSPKI copied to clipboard

Published 20 hours ago verified publisher icon PKISolutions

Convert-PfxToPem fails with invalid provider type

Open rvdginste opened this issue 6 years ago • 7 comments

When I use the Convert-PfxToPem cmdlet, it fails with an error.

Command:

$pwd = ConvertTo-SecureString -string "AAAAA" -AsPlainText -Force
Convert-PfxToPem -InputFile c:\test.pfx  -OutputFile c:\test.pem -Password $pwd

Output:

Invalid provider type specified
... pspki\3.4.1.0\Client\Convert-PfxToPem.ps1:141 char:3

This is on PowerShell 5.1 on Windows Server 2019.

Any idea why this is failing?

rvdginste avatar Jul 11 '19 12:07 rvdginste

Sounds like the key was loaded into key storage provider. KSP is not yet supported, because the code wasn't updated in a while. As workaround, you can modify Convert-PfxToPem.ps1 file as follows: Replace line: https://github.com/PKISolutions/PSPKI/blob/c2d95a9af413bce8d71b14ac701bfc0448e9e027/PSPKI/Client/Convert-PfxToPem.ps1#L130 with this content:

$CRYPT_ACQUIRE_SILENT_FLAG = 0x40 -bor 0x00010000

and check if it works. Keep in mind that this change will break the signature on PS1 file.

Crypt32 avatar Jul 11 '19 13:07 Crypt32

Thank you for the quick answer. Now the code gets a bit further, but still fails:

The parameter is incorrect
... pspki\3.4.1.0\Client\Convert-PfxToPem.ps1:147 char:3

rvdginste avatar Jul 11 '19 14:07 rvdginste

This confirms that the key is stored in KSP, not CSP. A bit more work is necessary for complete KSP support. I'll put this on my work list. I can provide you a temporary fix later.

Crypt32 avatar Jul 11 '19 14:07 Crypt32

Oh, it would be great if you could provide a temporary fix. I'd really appreciate that!

rvdginste avatar Jul 11 '19 14:07 rvdginste

Things appear to be more complicated.

For some reasons (I have no idea why), X509Certificate2 with "Exportable" flag doesn't enable private key plain text export for CNG keys. The call to NCryptSetProperty can't modify export policy, because it is read-only. I will need more research to find an ability to import the PFX with enabled NCRYPT_ALLOW_PLAINTEXT_EXPORT_FLAG flag.

Crypt32 avatar Jul 11 '19 18:07 Crypt32

Did you happen to get any further with this? I saw this post, which might help in the issue: https://stackoverflow.com/questions/54483371/cannot-export-rsa-private-key-parameters-the-requested-operation-is-not-support/54525572#54525572 It seems to be that Microsoft changed the .net functionality when importing certificates, which doesn't enable the exporting of plain text private keys. When importing the certificate on Windows, it automatically uses this new certificate type RSACngKey instead of RSACryptoServiceProvider. Maybe this can help in resolving this issue? It would be great if this could be fixed, as we are facing the export error issue as well and would like to be able do it through powershell, rather than somehow manually exporting it to pem, because that does seem to work (I still don't know why).

OcinO88 avatar Feb 06 '24 09:02 OcinO88

Did you happen to get any further with this?

nope. I was able to manage some p/invoke stuff, but yet it still doesn't work as expected.

Maybe this can help in resolving this issue?

again, no. Using legacy providers is discouraged and they don't support EC algorithms.

Crypt32 avatar Feb 06 '24 10:02 Crypt32