Functions/Private/Get-PFXFromPem.ps1
|
function Get-PFXFromPem { Param ( [Parameter(ValueFromPipelineByPropertyName)] [string] $ClientCertificate, [Parameter(ValueFromPipelineByPropertyName)] [string] $ClientCertificateFile, [Parameter(ValueFromPipelineByPropertyName)] [string] $ClientKey, [Parameter(ValueFromPipelineByPropertyName)] [string] $ClientKeyFile, [Parameter(ValueFromPipelineByPropertyName)] [string] $ClientKeyPassword, [Parameter(ValueFromPipelineByPropertyName)] [System.Security.SecureString] $SecureClientKeyPassword ) process { if ($ClientCertificate) { $CertificateContent = $ClientCertificate } elseif ($ClientCertificateFile) { if (-not (Test-Path $ClientCertificateFile)) { Write-Error "Client certificate file '$ClientCertificateFile' not found" return } Write-Debug "Reading certificate from file: $ClientCertificateFile" $CertificateContent = Get-Content -Raw -Path $ClientCertificateFile } if ($ClientKey) { $KeyContent = $ClientKey } elseif ($ClientKeyFile) { if (-not (Test-Path $ClientKeyFile)) { Write-Error "Client key file '$ClientKeyFile' not found" return } Write-Debug "Reading key from file: $ClientKeyFile" $KeyContent = Get-Content -Raw -Path $ClientKeyFile } # Validate we have both elements if (-not ($CertificateContent -and $KeyContent)) { throw "Both client certificate and key are required for mutual TLS." } # Handle encrypted keys differently if ($KeyContent.StartsWith("-----BEGIN ENCRYPTED PRIVATE KEY-----")) { if (-not $ClientKeyPassword -and -not $SecureClientKeyPassword) { $SecureClientKeyPassword = Read-Host -Prompt "Enter password for encrypted key" -AsSecureString } if ($SecureClientKeyPassword) { $ClientKeyPassword = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto([System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($SecureClientKeyPassword)) } $PemCertificate = [System.Security.Cryptography.X509Certificates.X509Certificate2]::CreateFromEncryptedPem($CertificateContent, $KeyContent, $ClientKeyPassword) } else { $PemCertificate = [System.Security.Cryptography.X509Certificates.X509Certificate2]::CreateFromPem($CertificateContent, $KeyContent) } $PFXBytes = $PemCertificate.Export([System.Security.Cryptography.X509Certificates.X509ContentType]::Pfx) $PFX = [System.Security.Cryptography.X509Certificates.X509Certificate2]::new($PFXBytes) return $PFX } } |