Generating an RSA key pair in powershell

Asked 21/3, 2019 at 15:57 Answered 24/1 at 14:39

windows powershell command-line certificate rsa

I want to generate an RSA public private key pair in powershell without using external software and I want to test it. It should be able to encrypt/decrypt data on any online public/private key verification service.

Purpose- Strictly Educational. I'm very well aware that you shouldn't export your private key online for security purposes.

So far I've tried ssh-keygen and

$RSA = New-Object System.Security.Cryptography.RSACryptoServiceProvider(2048)
[System.Convert]::ToBase64String($rsa.ExportCspBlob(1))
[System.Convert]::ToBase64String($rsa.ExportCspBlob(0))

System.Security.Cryptography.RSACryptoServiceProvider creates P, Q etc. all the raw material for calculating public/private key, but I don't want the raw material.

ExportCspBlob(x) provides a key, but when I try to verify it online, the key pair verification fails.

So, is there any way to create RSA public private key pair in powershell without using any external programs, which can be directly copy-pasted into a certificate format(the one with -----BEGIN PRIVATE KEY---- stuff)?

Poirer answered 21/3, 2019 at 15:57 Comment(2)

do you need these keys for SSH? – Selfservice 21/3, 2019 at 17:6

@MikeTwc no, as I said, educational purpose. So, I just want to create a key pair, and test it by encrypting and decrypting a string. – Poirer 22/3, 2019 at 1:54

If you just want to implement Public Key encryption/decryption with powershell, there are built-in tools for that. To generate key pair just use New-SelfSignedCertificate cmdlet, then you can use generated certificate to encrypt/decrypt data using Protect/Unprotect-CmsMessage (this is PGP-like cmdlets, meaning you don't have to deal with symmetric key part yourself). Then to share or move keys to other machines you can use Import/Export-Certificate cmdlets. See the example below

$store = "cert:\CurrentUser\My"

$params = @{
 CertStoreLocation = $store
 Subject = "CN=Test1"
 KeyLength = 2048
 KeyAlgorithm = "RSA" 
 KeyUsage = "DataEncipherment"
 Type = "DocumentEncryptionCert"
}

# generate new certificate and add it to certificate store
$cert = New-SelfSignedCertificate @params


# list all certs 
# Get-ChildItem -path $store

# Encryption / Decryption

$message = "My secret message"

$cipher = $message  | Protect-CmsMessage -To "CN=Test1" 
Write-Host "Cipher:" -ForegroundColor Green
$cipher

Write-Host "Decrypted message:" -ForegroundColor Green
$cipher | Unprotect-CmsMessage


# Exporting/Importing certificate

$pwd = ("P@ssword" | ConvertTo-SecureString -AsPlainText -Force)
$privateKey = "$home\Documents\Test1.pfx"
$publicKey = "$home\Documents\Test1.cer"

# Export private key as PFX certificate, to use those Keys on different machine/user
Export-PfxCertificate -FilePath $privateKey -Cert $cert -Password $pwd

# Export Public key, to share with other users
Export-Certificate -FilePath $publicKey -Cert $cert

#Remove certificate from store
$cert | Remove-Item

# Add them back:
# Add private key on your machine
Import-PfxCertificate -FilePath $privateKey -CertStoreLocation $store -Password $pwd

# This is for other users (so they can send you encrypted messages)
Import-Certificate -FilePath $publicKey -CertStoreLocation $store

Selfservice answered 22/3, 2019 at 17:53 Comment(0)

Try using Powershell methods see below.

$rsa = New-Object System.Security.Cryptography.RSACryptoServiceProvider(2048)
$rsa.ExportRSAPrivateKeyPem() | Out-File -FilePath 'C:\temp\privatekey.txt'
$rsa.ExportRSAPublicKeyPem() | Out-File -FilePath 'C:\temp\publickey.txt'

Senator answered 24/1 at 14:39 Comment(1)

I believe you will need to install .NET 7 or later to use these methods, see this question – Square 11/2 at 19:4

Recommended topics

Hot tags