An SSL certificate is a digital certificate that authenticates a website's identity and enables an encrypted connection.
SSL stands for Secure Sockets Layer, a security protocol that creates an encrypted link between a web server and a web browser.
An SSL certificate is essentially an X.509 certificate but has several file extension types and encoding formats.
Different devices may require different formats but a pfx file in PKCS#12 format contains the certificate,
the intermediate authority certificate, and the private key to the certificate,
which makes it an archive that stores everything you need to deploy a certificate.
SSL encoding formats and extensions
- PEM contains one or more X.509 digital certificate files that use base64 (ASCII) encoding and can be opened in any text editor.
The certificate file types can be
Each certificate in the PEM file is contained between the ---- BEGIN CERTIFICATE---- and ----END CERTIFICATE---- statements.
The private key is contained between the ---- BEGIN RSA PRIVATE KEY----- and -----END RSA PRIVATE KEY----- statements.
The CSR is contained between the -----BEGIN CERTIFICATE REQUEST----- and -----END CERTIFICATE REQUEST----- statements.
- The PKCS#7 certificate uses Base64 ASCII encoding with file extension
. Only certificates can be stored in this format, not private keys.
The P7B certificates are contained between the "-----BEGIN PKCS7-----" and "-----END PKCS7-----" statements.
- The DER certificates are in binary form, contained in .der
files. These certificates are mainly used in Java-based web servers.
- The PKCS#12 are in binary form, contained in
files. can store the server certificate, the intermediate certificate and the private key in a single .pfx file with password protection. These certificates are mainly used on the Windows platform.
What is a pfx file
A pfx file is a certificate in PKCS#12 format. It contains the SSL certificate (public keys) and
the corresponding private keys with optional password protection.
Certificate Authorities will not issue certificates with the private key.
The private key is generated in pair with the CSR (Certificate Signing Request) on the user's server and saved there.
Certificate Authorities just issue and share the certificates in .cer, .crt, and .p7b formats
which don’t have the private key in most of the cases.
Create a single .pfx file with OpenSSL
OpenSSL is a library (program) available on any Unix operating system. You can use the below command to create a .pfx file that
joins the SSL public keys, private keys together and can later be extracted when needed.
openssl pkcs12 -export -out Certificate.pfx -inkey Privatekey.key -in Certfilechain.crt
Certificate.pfx is the PFX file that will be created after the query has been completed successful.
PrivateKey.key is the private key you have saved after creating your CSR.
Certfilechain.crt is the certificate chain file that includes the domain certificate, intermediate certificates as well as the root CA certificates.
When you enter the password protecting the certificate, the Certificate.pfx file will be created in the directory (where you are located).
Extract files from .pfx file with OpenSSL
You can use the following command to extract the certificate:
openssl pkcs12 -in Certificate.pfx -clcerts -nokeys -out Certfilechain.crt
You can use the following command to decrypt the private key:
openssl rsa -in Privatekey.key -out decrypted.key
Type the password that you created to protect the private key file in the previous step.
Now you have the private key and certificate now.
Create a pfx file on Windows IIS
From a Windows operating system, an existing certificate can be exported from the certificate store as a pfx file using the MMC.
The IIS Web Server allows you to export an existing certificate to pfx directly from the server certificate store.
Exporting is very simple - right-click on the certificate and select Export.
After you choose a password to protect the pfx file, it is saved.
You can save the pfx file in multiple locations and in case your server crashes, you can redeploy the SSL with the saved pfx file in a timely manner.