export-certificate.psm1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
function get-certificateroots {
    Param(
        [Parameter(Mandatory=$true, ValueFromPipeline=$true)]
        [System.Security.Cryptography.X509Certificates.X509Certificate2[]]
        $cert
    )

    if ($cert.Issuer -eq $cert.Subject) {
        #@($cert)
    } else {

        foreach-object {
            $certs = get-childitem -recurse cert:\ | where Subject -eq $cert.issuer | Sort-Object | get-unique
            $certs | get-certificateroots;
            $certs
        }
    }
}

function ConvertTo-PEM {
    [CmdletBinding(DefaultParameterSetName="PublicDefault")]
    Param(
        [Parameter(Mandatory=$true, ValueFromPipeline=$true, Position=0)]
        [System.Security.Cryptography.X509Certificates.X509Certificate2]
        $Certificate,

        [Parameter(Mandatory=$true, ParameterSetName="PrivateKey")]
        [switch]
        $PrivateKey,

        [Parameter(Mandatory=$true, ParameterSetName="PublicKey")]
        [switch]
        $PublicKey,

        [Parameter(Mandatory=$true, ParameterSetName="PublicChain")]
        [switch]
        $Chain,

        [Parameter(Mandatory=$true, ParameterSetName="FullChain")]
        [switch]
        $FullChain
    )

    if ($PSCmdlet.ParameterSetName -eq "PrivateKey" -and $PrivateKey -eq $false) { throw "Parameter PrivateKey's value must be `$true or left undefined" }
    if ($PSCmdlet.ParameterSetName -eq "PublicKey" -and $PublicKey -eq $false) { throw "Parameter PublicKey's value must be `$true or left undefined" }
    if ($PSCmdlet.ParameterSetName -eq "PublicChain" -and $Chain -eq $false) { throw "Parameter Chain's value must be `$true or left undefined" }
    if ($PSCmdlet.ParameterSetName -eq "FullChain" -and $FullChain -eq $false) { throw "Parameter FullChain's value must be `$true or left undefined" }

    if ($PrivateKey) {
        if (-not $Certificate.HasPrivateKey) { throw "No private key for certificate" }
        if ($Certificate.PrivateKey -eq $null) { throw "Access Denied" }
        $algo = $Certificate.PrivateKey.Key.Algorithm
        write-output "-----BEGIN $algo PRIVATE KEY-----"
        [System.Convert]::ToBase64String($Certificate.PrivateKey.ExportRSAPrivateKey(), 1)
        write-output "-----END $algo PRIVATE KEY-----"
    } elseif ($PublicKey) {
        $algo = $Certificate.PublicKey.Key.Key.Algorithm
        write-output "-----BEGIN PUBLIC KEY-----"
        [System.Convert]::ToBase64String($Certificate.PublicKey.Key.ExportSubjectPublicKeyInfo(), 1)
        write-output "-----END PUBLIC KEY-----"
    } elseif ($Chain) {
        get-certificateroots $Certificate | ForEach-Object {
            write-output "-----BEGIN CERTIFICATE-----"
            write-output ([System.Convert]::ToBase64String($_.RawData, 1))
            write-output "-----END CERTIFICATE-----"
        }
    } elseif ($FullChain) {
        foreach-object {$Certificate; get-certificateroots $Certificate} | ForEach-Object {
            write-output "-----BEGIN CERTIFICATE-----"
            write-output ([System.Convert]::ToBase64String($_.RawData, 1))
            write-output "-----END CERTIFICATE-----"
        }
    } else {
        write-output "-----BEGIN CERTIFICATE-----"
        write-output ([System.Convert]::ToBase64String($Certificate.RawData, 1))
        write-output "-----END CERTIFICATE-----"
    }
}

Export-ModuleMember -Cmdlet ConvertTo-PEM