Convert-PfxToPem fails with invalid provider type

[rvdginste]

When I use the Convert-PfxToPem cmdlet, it fails with an error.

Command:

$pwd = ConvertTo-SecureString -string "AAAAA" -AsPlainText -Force
Convert-PfxToPem -InputFile c:\test.pfx  -OutputFile c:\test.pem -Password $pwd

Output:

Invalid provider type specified
... pspki\3.4.1.0\Client\Convert-PfxToPem.ps1:141 char:3

This is on PowerShell 5.1 on Windows Server 2019.

Any idea why this is failing?

[Crypt32]

Sounds like the key was loaded into key storage provider. KSP is not yet supported, because the code wasn't updated in a while. As workaround, you can modify Convert-PfxToPem.ps1 file as follows:
Replace line:

PSPKI/PSPKI/Client/Convert-PfxToPem.ps1

Line 130 in c2d95a9

$CRYPT_ACQUIRE_SILENT_FLAG = 0x40

with this content:

$CRYPT_ACQUIRE_SILENT_FLAG = 0x40 -bor 0x00010000

and check if it works. Keep in mind that this change will break the signature on PS1 file.

[rvdginste]

Thank you for the quick answer. Now the code gets a bit further, but still fails:

The parameter is incorrect
... pspki\3.4.1.0\Client\Convert-PfxToPem.ps1:147 char:3

[Crypt32]

This confirms that the key is stored in KSP, not CSP. A bit more work is necessary for complete KSP support. I'll put this on my work list. I can provide you a temporary fix later.

[rvdginste]

Oh, it would be great if you could provide a temporary fix. I'd really appreciate that!

[Crypt32]

Things appear to be more complicated.

For some reasons (I have no idea why), X509Certificate2 with "Exportable" flag doesn't enable private key plain text export for CNG keys. The call to NCryptSetProperty can't modify export policy, because it is read-only. I will need more research to find an ability to import the PFX with enabled NCRYPT_ALLOW_PLAINTEXT_EXPORT_FLAG flag.

[OcinO88]

Did you happen to get any further with this? I saw this post, which might help in the issue: https://stackoverflow.com/questions/54483371/cannot-export-rsa-private-key-parameters-the-requested-operation-is-not-support/54525572#54525572
It seems to be that Microsoft changed the .net functionality when importing certificates, which doesn't enable the exporting of plain text private keys. When importing the certificate on Windows, it automatically uses this new certificate type RSACngKey instead of RSACryptoServiceProvider. Maybe this can help in resolving this issue?
It would be great if this could be fixed, as we are facing the export error issue as well and would like to be able do it through powershell, rather than somehow manually exporting it to pem, because that does seem to work (I still don't know why).

[Crypt32]

Did you happen to get any further with this?

nope. I was able to manage some p/invoke stuff, but yet it still doesn't work as expected.

Maybe this can help in resolving this issue?

again, no. Using legacy providers is discouraged and they don't support EC algorithms.