This can be done with OpenSSL. This same technique can be used to change Legacy Key Provider types.
First we convert the current Certificate from a PFX file to a PEM file:
set RANDFILE=.\openssl.rnd openssl pkcs12 -in idp.pfx -out idp.pem Enter Import Password: MAC verified OK Enter PEM pass phrase: Verifying - Enter PEM pass phrase:
Then we convert it back from a PEM file to a PFX file:
openssl pkcs12 -export -in idp.pem -out new-idp.pfx -CSP "Microsoft Enhanced RSA and AES Cryptographic Provider" Loading 'screen' into random state - done Enter pass phrase for idp.pem: Enter Export Password: Verifying - Enter Export Password:
Note I am using the “Microsoft Enhanced RSA and AES Cryptographic Provider” as the target because the “Microsoft Strong Cryptographic Provider” has limitations in EAS and SHA256 support.
OpenSSL Documentation can be found here.