diff --git a/README-es.md b/README-es.md
index 3a612a3..159de68 100644
--- a/README-es.md
+++ b/README-es.md
@@ -6,4 +6,8 @@ Si se revoca alguno de estos certificados con SN duplicado, y están en uso en o
 nos llevaremos la sorpresa de haber revocado más de lo deseado. Esta herramienta encuentra
 esas duplicidades de SN usando como entrada un backup XML de configuración de pfSense no cifrado.
 
-Último cambio 2017/07/21: Nueva funcionalidad: Ahora muestra en qué CRL(s) está referenciado el certificado.
+También mostrará los certificados de CA, servidor y usuario.
+
+2017/07/21: Nueva funcionalidad: Ahora muestra en qué CRL(s) está referenciado el certificado.
+
+Último cambio 2019/09/11: Nueva funcionalidad: Ahora también se pueden descifrar archivos de configuración XML. Para hacerlo hay que disponer de openssl.exe. Por defecto el script lo buscará en la carpeta de instalación de openVPN.
diff --git a/README.md b/README.md
index d9c51ec..64cf45c 100644
--- a/README.md
+++ b/README.md
@@ -7,7 +7,11 @@ are revoked, and it's in use by openVPN, we will be surprised of having more
 revoked certs than the desired. This tool finds those duplicated SerialNumbers
 into a non encrypted xml pfSense config backup.
 
-Last change 2019/07/21: New feature: Now it also shows the CRL(s) in which the cert appears.
+CA roots, server certificates and user certificates will also be displayed.
+
+2019/07/21: New feature: Now it also shows the CRL(s) in which the cert appears.
+
+Last change 2019/09/11: New feature: Encrypted XML config files supported. To decrypt the xml files is mandatory a path to openssl.exe. By default this script looks for the openvpn bin folder.
 
 Thanks to [pippin](https://forum.netgate.com/user/pippin) for show me the links to the pfSense docummented issue:
 
diff --git a/pfSenseCertViewer.ps1 b/pfSenseCertViewer.ps1
index 98697c2..33121e9 100644
--- a/pfSenseCertViewer.ps1
+++ b/pfSenseCertViewer.ps1
@@ -1,9 +1,9 @@
 ####
 ### pfSense Certificate Viewer (without private key)
-### Version 1.0.3
+### Version 1.0.4
 ####
-# Redefine the $cfg string variable to point to a valid non encrypted pfSense XML configuration backup file.
-# You can also pass the command line FilePath parameter as path to the input XML cfg file.
+# Redefine the $cfg string variable to point to a valid unecrypted pfSense Configuration XML file.
+# You can also use the command line FilePath parameter as path to the input XML cfg file
 
 # This script will return the CA certificates, Server certificates, User certificates (used or not) and duplicated Serial Number Certificates
 #
@@ -14,13 +14,22 @@
 #[CmdletBinding()]
     Param (
         [Parameter(Mandatory=$false,
-                        Position=0,
-                        ValueFromPipeline=$true,
-                        ValueFromPipelineByPropertyName=$true)]
+                   Position=0,
+                   ValueFromPipeline=$true,
+                   ValueFromPipelineByPropertyName=$true)]
         [Alias("File")]
         [string]$FilePath)
 
 
+Function Get-BeginEndWO {
+    Param([Parameter(Mandatory=$true, Position=0)]
+          [string]$path)
+
+    [string[]]$text = Get-Content $path -Encoding UTF8
+    #Remove 1st and last lines
+    $text[1..($text.Count-2)]
+}
+
 Function Get-CN {
     Param([Parameter(Mandatory=$true)][string]$name)
     if($name -match "CN=([^,]*)") {
@@ -61,10 +70,87 @@ Function Add-Lista {
     }
 }
 
+
+Function Decrypt {
+    Param([Parameter(Mandatory=$true,Position=0)][string]$fileIn
+         ,[Parameter(Mandatory=$true,Position=1)][string]$fileOut
+         ,[Parameter(Mandatory=$false,Position=2)][string]$pass)
+
+    # If $openSSL is not '', we will look for the openSSL.exe available with openVPN install.
+    # You can define a value for $openSSL if you have a valid openssl executable path.
+    [string]$openSSL = ''
+    if ($openSSL -eq '') {
+        #Look for openvpn installation
+        [string]$rutaREG = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\OpenVPN"
+        if (-not (Test-Path($rutaREG))) {
+            Write-Host 'No openvpn installation found. openssl.exe is part of the openVPN installation. If you have another openssl.exe available path, you can redefine the $openSSL variable at line 81.' -BackgroundColor DarkRed
+            Exit (3)
+        }
+        
+        $openSSL = ((Get-ItemProperty -Path $rutaREG).exe_path).Replace("openvpn.exe", "openssl.exe")
+    }
+
+    if ($pass -eq '') {
+        [System.Security.SecureString]$pwd = Read-Host "Password XML File:" -AsSecureString
+        $pass = [Runtime.InteropServices.Marshal]::PtrToStringAuto([Runtime.InteropServices.Marshal]::SecureStringToBSTR($pwd))
+    }
+
+    & "$($openSSL)" enc -d -aes-256-cbc -in "$($fileIn)" -out "$($fileOut)" -salt -md md5 -k ''$($pass)''
+}
+
+Function Get-ConfigFile {
+    Param([Parameter(Mandatory=$true,Position=0)][string]$filePath `
+         ,[Parameter(Mandatory=$true,Position=1)][ref]$xml)
+
+    if (-not (Test-Path -Path $filePath)) {
+        Write-Host "File '$cfg' not found. Process stopped." -BackgroundColor DarkRed
+        Exit 1
+    }
+
+    [bool]$encrypted = $false
+    try {
+        $xml.Value = Get-Content $filePath -Encoding UTF8
+    }
+    catch {
+        $encrypted = $true
+    }
+
+    if ($encrypted -eq $true) {
+        #Encrypted xml file
+        [string[]]$cifrado = Get-BeginEndWO -path $filePath
+        $f1Cin  = New-TemporaryFile
+        $f1Cou  = New-TemporaryFile
+        try {
+            [IO.File]::WriteAllBytes($f1Cin.FullName, [System.Convert]::FromBase64String($cifrado))
+            Decrypt -fileIn $f1Cin.FullName -fileOut $f1Cou.FullName
+
+            # Check if file exists
+            if (-not (Test-Path $f1Cou.FullName) -or (Get-Item $f1Cou.FullName).Length -eq 0) {
+                Write-Host "Unable to decrypt file. Process stoped." -BackgroundColor DarkRed
+                Exit 4
+            }
+            
+            # File exists
+            $xml.Value = Get-Content $f1Cou.FullName -Encoding UTF8
+        }
+        catch {
+            Write-Host "Bad password. Process stoped." -BackgroundColor DarkRed
+            Exit 5
+        }
+        finally {
+            Remove-Item $f1Cin.FullName -Force
+            Remove-Item $f1Cou.FullName -Force
+        }
+    }
+}
+
+
 #
 # BODY
 #
 
+#$ErrorActionPreference = 'SilentlyContinue'
+
 # Check if param 0 is assigned
 if ($FilePath -eq $null -or $FilePath -eq '') {
     [string]$cfg = "$env:USERPROFILE\Downloads\config-pfSense01.private.xml"
@@ -75,13 +161,9 @@ else {
 }
 
 
-if (-not (Test-Path -Path $cfg)) {
-    Write-Host "File '$cfg' not found. Process stopped." -BackgroundColor DarkRed
-    Exit 1
-}
-
-#Read XML pfSense config file (UTF8 enconding)
-[xml]$fxml = Get-Content $cfg -Encoding UTF8
+#Read XML pfSense config file (UTF8 Encoding)
+[xml]$fxml = $null
+Get-ConfigFile -filePath $cfg -xml ([ref]$fxml)
 
 #Get the CRL revocation list
 [DateTime]$time0 = '1970-01-01'
@@ -98,7 +180,7 @@ Add-Lista -lista ([ref]$listaC) -obj ([ref]$fxml.pfsense.ca) -fromCA $true
 Add-Lista -lista ([ref]$listaC) -obj ([ref]$fxml.pfsense.cert) -fromCA $false
 #Note: User Certificates created with old pfSense versions could set the EnhancedKeyUsageList property to <empty>.
 
-Remove-Variable fxml, r
+Remove-Variable fxml
 
 #List of CA Certificates
 Write-Output "`nCA Certificates"