What is a pfx file in SSL certificates and why you should save it? What is a pfx file in SSL...

What is a pfx file in SSL certificates and why you should save it?


An SSL certificate is a digital certificate that authenticates a website's identity and enables an encrypted connection. SSL stands for Secure Sockets Layer, a security protocol that creates an encrypted link between a web server and a web browser. An SSL certificate is essentially an X.509 certificate but has several file extension types and encoding formats. Different devices may require different formats but a pfx file in PKCS#12 format contains the certificate, the intermediate authority certificate, and the private key to the certificate, which makes it an archive that stores everything you need to deploy a certificate.

SSL encoding formats and extensions

SSL format
PEM - PEM contains one or more X.509 digital certificate files that use base64 (ASCII) encoding and can be opened in any text editor. The certificate file types can be .pem , .crt , .cer , or .key. Each certificate in the PEM file is contained between the ---- BEGIN CERTIFICATE---- and ----END CERTIFICATE---- statements. The private key is contained between the ---- BEGIN RSA PRIVATE KEY----- and -----END RSA PRIVATE KEY----- statements. The CSR is contained between the -----BEGIN CERTIFICATE REQUEST----- and -----END CERTIFICATE REQUEST----- statements.

PKCS#7 - The PKCS#7 certificate uses Base64 ASCII encoding with file extension .p7b or .p7c. Only certificates can be stored in this format, not private keys. The P7B certificates are contained between the "-----BEGIN PKCS7-----" and "-----END PKCS7-----" statements.

DER - The DER certificates are in binary form, contained in .der or .cer files. These certificates are mainly used in Java-based web servers.

PKCS#12 - The PKCS#12 are in binary form, contained in .pfx or .p12 files. can store the server certificate, the intermediate certificate and the private key in a single .pfx file with password protection. These certificates are mainly used on the Windows platform.

What is a pfx file

A pfx file is a certificate in PKCS#12 format. It contains the SSL certificate (public keys) and the corresponding private keys with optional password protection. Certificate Authorities will not issue certificates with the private key. The private key is generated in pair with the CSR (Certificate Signing Request) on the user's server and saved there. Certificate Authorities just issue and share the certificates in .cer, .crt, and .p7b formats which don’t have the private key in most of the cases.

Create a single .pfx file with OpenSSL

OpenSSL is a library (program) available on any Unix operating system. You can use the below command to create a .pfx file that joins the SSL public keys, private keys together and can later be extracted when needed.

openssl pkcs12 -export -out Certificate.pfx -inkey Privatekey.key -in Certfilechain.crt

Certificate.pfx is the PFX file that will be created after the query has been completed successful. PrivateKey.key is the private key you have saved after creating your CSR. Certfilechain.crt is the certificate chain file that includes the domain certificate, intermediate certificates as well as the root CA certificates. When you enter the password protecting the certificate, the Certificate.pfx file will be created in the directory (where you are located).

Extract files from .pfx file with OpenSSL

You can use the following command to extract the certificate:
openssl pkcs12 -in Certificate.pfx -clcerts -nokeys -out Certfilechain.crt

You can use the following command to decrypt the private key:
openssl rsa -in Privatekey.key -out decrypted.key

Type the password that you created to protect the private key file in the previous step. Now you have the private key and certificate now.

Create a pfx file on Windows IIS

From a Windows operating system, an existing certificate can be exported from the certificate store as a pfx file using the MMC. The IIS Web Server allows you to export an existing certificate to pfx directly from the server certificate store. Exporting is very simple - right-click on the certificate and select Export. After you choose a password to protect the pfx file, it is saved.

You can save the pfx file in multiple locations and in case your server crashes, you can redeploy the SSL with the saved pfx file in a timely manner.

* (Your email address will not be published.)