1

This answer here gave a method for converting a pfx to snk using powershell (wrapped around the System.Security.Cryptography methods).

How would I do the reverse, convert a .snk file to .pfx? I can read the .snk file with Get-Content, and somehow use ImportCspBlob to get an X509Certificate2 object, but I do not know:

  1. How to instantiate ImportCspBlob to get that certificate object
  2. How to export a .pfx from that object

For what it's worth, I tried to instantiate an X509Certificate2 and then run ImportCspBlob, but the constructor failed:

$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2();
At line:1 char:83
+ ... ect System.Security.Cryptography.X509Certificates.X509Certificate2();
+                                                                        ~
An expression was expected after '('.
    + CategoryInfo          : ParserError: (:) [], ParentContainsErrorRecordException
    + FullyQualifiedErrorId : ExpectedExpression

EDIT:

@TheIncorrigible pointed out the constructor problem, which now is fixed. Main questions still remain.

I expected the empty constructor to work.

UPDATE:

I no longer have need for this question. Turns out it was not a public-private keypair in the .snk file, but rather some basic symmetric key material, password-encrypted. I will leave the question, though, in case the answer is useful to others.

deitch
  • 14,019
  • 14
  • 68
  • 96
  • I like your handle @TheIncorrigible. Yeah, PowerShell is not my strength, but adapt, I must. So... how? – deitch Mar 22 '18 at 16:03
  • Is `.snk` considered a X509 cert? – Maximilian Burszley Mar 22 '18 at 16:08
  • In a unique fashion, yes. Can include both private and public keys or just public key. Password encrypted (well, symmetric key generated from password, I am guessing PBKDF). It is identical to a CSP blob. But how would I actually run `ImportCspBlob`? – deitch Mar 22 '18 at 16:10
  • In the example, you would do the same thing they did with importing the pfx cert: `[byte[]] $snkBytes = Get-Content -Path $snkFilePath -Encoding Byte` and then create the `$cert` object in the same fashion. – Maximilian Burszley Mar 22 '18 at 16:12
  • I can pass the `$snkBytes` like they passed the `$pfxBytes`? I didn't think I could. The docs say that it should be used with a pfx file, which this is not. – deitch Mar 22 '18 at 16:14
  • [As long as it's a x.509 cert](https://msdn.microsoft.com/en-us/library/ms148418(v=vs.110).aspx), I don't see that being an issue. – Maximilian Burszley Mar 22 '18 at 16:15
  • But it is a different format? Well, I can try. – deitch Mar 22 '18 at 16:18
  • And no. I get errors. – deitch Mar 22 '18 at 16:22
  • Are you specifying the CSP (`sn.exe -c`) when you create the keypair? – Maximilian Burszley Mar 22 '18 at 16:24
  • I am not creating the keypair, it is exported from an app. I am trying to reverse it, make it manageable. – deitch Mar 22 '18 at 16:26
  • I suggest you look at the code that is in this module PSPKI GitHub location: https://github.com/Crypt32/PSPKI you might be able to locate a good answer in his code. – Thom Schumacher Mar 22 '18 at 16:30
  • @thomschumacher I saw some pem-pfx conversion utils, and PKI interactions, but not much on dealing with a local snk file. It shouldn't be this hard. :-( – deitch Mar 22 '18 at 16:33
  • OK, so I read through that post you linked to and have a better understanding of your problem. Does your `.snk` contain only the public RSA key? – Maximilian Burszley Mar 22 '18 at 16:33
  • I am fairly certain it contains public and private, given that it is password-protected. All of this is just around managing keys for PowerBI, believe it or not. I can export the keys, now I need to inspect them. – deitch Mar 22 '18 at 16:35
  • I would be thrilled if I could just run the thing through `sn` or `openssl` and get straightforward info about it. – deitch Mar 22 '18 at 16:42

0 Answers0