How to create a PFX file

The file extension PFX stands for a certificate of the format PKCS#12, which contains the certificate, the intermediate certificate of the certificate authority, which ensures the trustworthiness of the certificate, and the private key. You can imagine the file as an archive, which contains everything needed for the import of the certificate.

SSLmarket purposely does not allow for the private key to be downloaded from the customer centre, as this would require saving the private key in our system, which we want to avoid.

You can generate the private key on our site together with the CSR, but you are responsible for saving it (for the subsequent installation of the certificate) yourself.

What do you need the PFX for? Particularly in the following cases:

  • You would like to install the certificate on a Windows server (IIS), but the CSR has not been generated in the IIS
  • You need the certificate for the Windows server, but the IIS is not available to you for the generation of the CSR
  • You generated the CSR key in SSLmarket and saved the private key. Now you need to import the certificate to a Windows server
  • You purchased a Code Signing certificate and you require the PFX file for singing.

FFor these and other situations, we are providing you with a tutorial.

How to create a PFX using OpenSSL

OpenSSL is a library (programme) available in every Unix operational system. If you have a Linux server or work with a Linux server, you will certainly find OpenSSL among the available programmes.

In OpenSSL you need to transfer the separately saved private key into a PFX (PKCS#12) file. You can do so with the following command: openssl pkcs12 -export -in linux_cert+ca.pem -inkey privateekey.key -out output.pfx

After the password, with which the certificate will be secured, has been specified, a file output.pfx will be created in the address book, in which you currently are - choose the name according to the command above.

How to create a PFX file on a Windows server

Obtain PFX form an existing certificate

The Windows operating system allows you to export an existing certificate as a PFX file from the Certificate Store by using the console MMC. You can choose this approach for Windows servers if the IIS saves the certificates in the Certificate Store.

The webserver IIS allows you to export the existing certificate into PFX directly from the list of certificates saved on the server. The private key and the CSR will be generated during the creation of the request in the IIS and the certificate will be imported back after it has been issued (both steps are described in our tutorials for the various Windows versions).

The export is very easy – right click on the respective certificate and choose “export”. After the password, which secures the PFX file, has been entered, the certificate will be saved on the data medium.

Export des SSL-Zertifikats von IIS

Import of a new certificate and creation of the PFX file

Unfortunately, this approach is not possible. The certificate store in Windows does not support the import of the private key from the file, which is why you cannot connect the keys in the PFX file in the MMC console as in OpenSSL, which means, you can only import a PFX into the webserver IIS.

If you would like to import a new certificate to the Windows server, and the private key is not on the server (because you didn’t create the CSR on the server), you can take the following steps:

  • Create the PFX somewhere else (e.g. OpenSSL) and import the certificate afterwards as PFX.
  • Create a new request (CSR) on the server and have the certificate reissued. The certificate will be issued again for free and can be imported to the existing private key. You can request the reissue yourself in the administration of your customer account.

How to create the PFX file by using a third party application

You can create a PFX file from independent keys in a graphical programme in order to avoid using OpenSSL.

We recommend the open source application XCA as the best solution for this purpose. This intuitive programme allows you to administer all your certificates and keys. The main advantage is the automatic assignment of the keys to each other, which spares you from having to investigate, which key belongs to which certificate. The import of the keys is simple and the certificate can be exported into all formats.

Programme XCA for key administration

(In)security of the PFX file

The PFX file is always password protected, as it contains the private key. When generating the file, choose the password wisely as it can protect your certificate from unauthorised use. Any attacker would be delighted, if the password for the file were “12345” – the faster they can obtain access to the certificate.

With a stolen code signing certificate, the attacker could sign any files in the name of your company. This is why it is important to safely store the PFX file, or to purchase a Code Signing EV certificate. The Code Signing EV certificates are saved on tokens which makes unauthorised use in case of theft impossible: if the passwords is entered incorrectly several times in a row, the token will be blocked.