Getting Started with PFX File
A PFX certificate, also known as PKCS#12 certificate, is a file format that bundles your SSL/TLS certificate along with its private key in an encrypted format. The PFX file usually has the file extension .pfx or .p12. It allows you to securely transfer the certificate and its private key from one computer to another.
The private key in a PFX is protected by a password, so when you import the PFX file into a web server or other software, you will need to provide the password to decrypt and install the private key. PFX certificates enable you to easily backup, transfer, and install your certificates and keys between different systems and software. They provide a convenient way to deploy your SSL/TLS certificates with their private keys.
Key Takeaways
- A PFX file contains the SSL certificate, private key, and intermediates combined in one encrypted file.
- PFX stands for Personal Information Exchange and uses the PKCS #12 standard.
- PFX files are commonly used to import and export certificates and private keys in Windows.
- To create a PFX file, the certificate, private key, and intermediates need to be exported and combined using the OpenSSL toolkit.
- When creating a PFX, a password should be set to encrypt and secure the file.
- PFX files allow the secure transfer of SSL certificates and keys between servers.
- They can be imported into services like IIS, Azure Web Apps, Network Devices, and Windows/Mac Keychains.
What is a PFX File?
PFX, or PKCS #12, is a file format that stores cryptographic keys and certificates in an encrypted form. PFX stands for Personal Information Exchange, which emphasizes that it is used to transport your certificates and keys.
The PFX format uses the PKCS #12 standard established by RSA Laboratories. It defines both the file format and encryption algorithms for storing private keys, certificates, and other authenticated attributes.
Some key things about PFX files:
- Contains Private Key: The key difference between PFX and standard certificate formats like CRT is that PFX also includes your private key. The private key allows you to use the certificate for encryption/decryption.
- Encrypted File: A PFX stores the data in an encrypted manner using password-based encryption. This protects the certificate and key during file transfer.
- Bundled Format: The certificate, private key, and any required intermediate certificates are bundled together in the PFX file, allowing easy transfer of the full certificate chain.
- Used on Windows: The PFX format is mainly used on Windows machines to import and export certificate bundles with private keys. However, it can also be used on other platforms.
- PKCS #12 Standard: PFX conforms to the PKCS #12 specification from RSA Labs that defines the storage of cryptographic objects in an encrypted manner.
Why Use PFX Certificates?
PFX certificates provide the following key benefits:
Bundles Entire Certificate Chain
A PFX file can contain the end-entity SSL certificate issued to your domain, intermediate certificates, and the private key in one file. This allows you to transfer the complete certificate bundle needed to establish trust and encryption.
Encrypts Sensitive Key
The private key is encrypted using password protection in a PFX file. This secures the key during file transfer or storage on disks, unlike storing the raw key file.
Portable Across Platforms
Although PFX is a Windows standard, it can be imported across various operating systems and software, such as Windows, Linux, macOS, Android/iOS, and web/app servers.
Easy Import/Export
Tools like OpenSSL and Keychain Access on Mac let you easily import or export PFX files to extract certificates and keys, simplifying the transfer between servers.
Works Across Devices/Browsers
The certificates and keys from a PFX can be installed across devices like servers, desktops, and mobiles and integrated with major browsers like Chrome, Firefox, IE, etc.
In summary, PFX provides an efficient file-based mechanism to securely transfer SSL certificates and keys between various systems to establish HTTPS and SSL encryption.
How To Create a PFX File: A Step-by-Step Guide
A PFX file can be created using the OpenSSL toolkit. The process requires the following:
- The public SSL certificate issued by the CA for your domain. This is available as a CRT or PEM file.
- The private key is generated during CSR creation. This is available as a KEY file.
- Any intermediates provided by the CA to establish a trust chain.
- A password to encrypt the final PFX file.
Here are the steps to create a PFX file from these components using OpenSSL commands:
Step #1 Convert SSL Certificate to PEM
The SSL certificate from CA is usually available in CRT (e.g., domain.crt) or PEM format. If you have a CRT, convert it to PEM format first:
openssl x509 -inform der -in domain.crt -out domain.pem
Step #2 Concatenate Intermediates
Combine any intermediate certificates provided by CA into a single PEM file:
cat intermediate1.pem intermediate2.pem > intermediates.pem
Step #3 Combine PEM Files
Now combine the SSL certificate, private key, and intermediates into a single PEM file:
cat domain.pem private.key intermediates.pem > combined.pem
Step #4 Convert PEM to PFX
Finally, convert this PEM file into PKCS #12 PFX format with the password:
openssl pkcs12 -export -out domain.pfx -inkey private.key -in combined.pem -password pass:your password
That’s it! You now have a PFX file called domain.pfx containing the certificate, key, and intermediates encrypted with the set password.
This PFX can be securely transferred and imported into your servers or devices. The password is required to import the PFX file.
Where is PFX Used? Common Use Cases
Some common scenarios where PFX certificates are used:
- Import SSL Cert on IIS: The PFX file makes it easy to install SSL certificates on IIS servers. Double-click the PFX and import it using the Certificate Import Wizard.
- Set up HTTPS on Azure: Azure App Services and Azure Load Balancers allow importing a PFX to enable HTTPS traffic for your apps and websites.
- Configure Appliances: Many network appliances and hardware devices, such as load balancers and firewalls, can import a PFX to install the SSL certificate and private key.
- Mobile Apps: Mobile app bundles and REST APIs often use a PFX to store client certificates and keys for secure communication with the backend.
- Browsers/OS: The certificate and keys from a PFX can be imported into operating systems like Windows, macOS, iOS, and Android, as well as browsers like Chrome and Firefox.
- Code Signing: Developers can distribute code signing certificates and keys through PFX so that others can verify signed binaries and software.
- Client Authentication: The client certificate in a PFX can enable two-way SSL authentication and identity verification without sharing raw keys.
- Backup: As PFX bundles all certificate components in one file, it can act as a backup mechanism to restore certificates if the original files are lost.
- Import SSL Cert on IIS: The PFX file makes it easy to install SSL certificates on IIS servers. Double-click the PFX and import it using the Certificate Import Wizard.
- Set up HTTPS on Azure: Azure App Services and Azure Load Balancers allow importing a PFX to enable HTTPS traffic for your apps and websites.
- Configure Appliances: Many network appliances and hardware devices, such as load balancers and firewalls, can import a PFX to install the SSL certificate and private key.
- Mobile Apps: Mobile app bundles and REST APIs often use a PFX to store client certificates and keys for secure communication with the backend.
- Browsers/OS: The certificate and keys from a PFX can be imported into operating systems like Windows, macOS, iOS, and Android, as well as browsers like Chrome and Firefox.
- Code Signing: Developers can distribute code signing certificates and keys through PFX so that others can verify signed binaries and software.
- Client Authentication: The client certificate in a PFX can enable two-way SSL authentication and identity verification without sharing raw keys.
- Backup: As PFX bundles all certificate components in one file, it can act as a backup mechanism to restore certificates if the original files are lost.
How Can I Create a PFX without a Private Key?
PFX files are designed to store private keys. However, in certain cases, you may need to create a PFX with just the public certificate and intermediates without the private key.
For example, to distribute a code signing certificate to others without sharing a private key.
Here are the steps to export a certificate-only PFX file using OpenSSL:
- Combine certificate and intermediates into PEM
cat domain.pem intermediate.pem > combined.pem
- Export as PFX specifying no private key
openssl pkcs12 -export -out domain-nokey.pfx -in combined.pem -nokeys
This will create a PFX file containing only certificates without the private key. When importing this PFX, the system will warn that no private key is present.
Such certificate-only PFX can be used to distribute trusted certificates. However, operations like decryption/signing cannot be performed without the private key.
How Can I Extract the Certificate and Key from PFX?
PFX files can be decrypted to extract the original certificate and private key components. This is useful when you need to transfer these artifacts individually.
On Windows, double-click the PFX and select the option to export certificates and keys. On Linux/Mac, use OpenSSL:
- Decrypt the PFX file
openssl pkcs12 -in domain.pfx -out decrypted.pem -nodes
- Extract the certificate
openssl crl2pkcs7 -nocrl -certfile decrypted.pem -out domain.crt
- Extract the private key
openssl rsa -in decrypted.pem -out domain.key
You now have the certificate as domain.crt and the private key as domain.key extracted from the PFX file.
How Can I Create a PFX from PEM Files?
If you have the certificate and private key separately available as PEM files, they can be easily converted into a PFX format.
For example, if you have:
- domain.crt: Contains the SSL certificate
- private.key: Contains the corresponding private key
- intermediate.pem: Bundled intermediate certs
You can create a PFX from these files using:
openssl pkcs12 -export -out domain.pfx -inkey private.key -in domain.crt -certfile intermediate.pem
When prompted, set an export password to encrypt the PFX file.
This will bundle the certificates and keys from the PEM files into a PFX container encrypted with the password.
What is the Difference Between PFX and PKCS7?
PFX and PKCS7 are related standards used for transferring certificates:
- PFX uses the PKCS #12 standard to bundle certificates and keys in an encrypted archive that can be transferred securely. PFX contains private keys.
- PKCS7 defines a format for signing and encrypting messages. A PKCS7 file (.p7b) contains only certificates and chains without any private key.
Some key differences:
- Private Key: PFX contains the private key, but PKCS7 does not.
- Encryption: PFX is encrypted, but PKCS7 is plaintext.
- Usage: PFX is used to transfer certificates securely. PKCS7 is used to sign messages and documents.
- Support: PFX has wider support across devices and browsers. PKCS7 is recognized only on some.
Final Thoughts
PFX files provide an efficient and portable way to bundle SSL certificates with their private keys and chain of trust. The encrypted format allows secure transfer of sensitive certificate artifacts between different servers, devices, and operating systems. While mainly used on Windows, PFX offers wider interoperability than just CRT or PEM files.
With the help of utilities like OpenSSL, creating and managing PFX files is straightforward. The bundled nature and encryption features of the PKCS #12 standard make PFX one of the most useful certificate formats for establishing HTTPS and SSL across platforms. For website security and encrypted communications, understanding PFX certificates is key.
Frequently Asked Questions
What password does a PFX file use?
A PFX file is encrypted using a password. When exporting the PFX, you can specify any password to encrypt it. This same password will be required later when importing the PFX.
Can I use PFX on Mac and Linux?
Yes, PFX files can be imported on Mac, Linux, and Windows. Platforms like macOS, iOS, and Android include utilities for importing/exporting PFX files.
Is PFX the same as PKCS12?
PFX and PKCS12 refer to the same certificate format. PFX is generally used on Windows, while PKCS12 is the formal name as per the cryptography standard.
How do I create a PFX from multiple PEM files?
You can combine the key, cert, and intermediates from individual PEM files into one PFX using the OpenSSL command outlined above in the “How to Create a PFX” section.
Can I remove the private key from a PFX?
There is no direct way to remove the private key from an existing PFX file. You will first have to export the certificates without a key into a new PFX, as shown earlier.
What is a CER file, and how does it compare to PFX?
CER files contain only the certificate (no private key). While they can be opened on Windows, unlike PFX, CER does not support bundling intermediates or encryption.
Do all CAs provide PFX when issuing SSL certificates?
Most major CAs allow you to generate a PFX certificate when issuing a paid SSL certificate. The PFX contains the issued domain certificate and chained intermediates.
But you still need to manually bundle your private key into the PFX for full import onto web servers and devices.
Priya Mervana
Verified Web Security Experts
Priya Mervana is working at SSLInsights.com as a web security expert with over 10 years of experience writing about encryption, SSL certificates, and online privacy. She aims to make complex security topics easily understandable for everyday internet users.
