Extract certificates from PFX file _without_ using OpenSSL

Question

I found an answer that uses OpenSSL, but I'm on Windows, and I don't have it easily to hand. Is there a way (e.g. using CERTUTIL or VBScript) to see the certificates in a .PFX file?

If I use "certutil -dump", it asks for the password for the key. I don't want the key, and the certificate's supposed to be public.

Answer 1

You can use Get-PfxData from pkiclient.

https://learn.microsoft.com/en-us/powershell/module/pkiclient/get-pfxdata?view=win10-ps

Example:

$mypwd = ConvertTo-SecureString -String "localhost" -Force -AsPlainText
$mypfx = Get-PfxData -FilePath C:\Users\oscar\Desktop\localhost.pfx -Password $mypwd   
$mypfx
$mypfx.EndEntityCertificates

If you have the certificate in store and need a .sst (Microsoft serialized certificate store), .cer (CERT) or .p7b (PKCS#7) file you can use Export-Certificate from pkiclient (Or Export it via MMC without the private key).

https://learn.microsoft.com/en-us/powershell/module/pkiclient/export-certificate?view=win10-ps

Example for exporting IIS Express generated localhost certificate:

Start mmc.exe.

Then go to:

File -> Add or Remove Snap-ins -> Certificates -> Add -> Computer account -> Local computer

Expand the Personal folder and you will see your localhost certificate.

Double click, go to Details and copy the certificate Thumbprint.

Then run the command:

$cert = (Get-ChildItem -Path cert:\LocalMachine\My\{YourThumbprint})
Export-Certificate -Cert $cert -FilePath C:\Users\oscar\Desktop\localhost.cer

Note: If you need a certificate from your current user then replace LocalMachine with CurrentUser in the above command.

Answer 2

In a PFX file, both the private key and the certificate are encrypted (using the same password). If you do not know the password, you won’t get the certificate. If you know it, certutil -dump should suffice.