PFX file for you server

  • 391
Time to read article: 3 min

We are frequently asked how to obtain a PFX file.

A PFX file, also known as PKCS #12, is a single, password-protected certificate archive containing the entire certificate chain as well as the corresponding private key. It's basically everything a server needs to import a certificate and private key from a single file.

How can I create PFX file?
The server certificate (public key) and the private key are joined to work together once your SSL certificate has been approved, issued, and installed on your server. You can now export the public key, private key, and CA chain into a single PFX file, which can then be imported into other servers that support PFX files.

Creating PFX on Windows (server with IIS)

Create a PFX from an existing certificate

From a Windows operating system, an existing certificate can be exported from the certificate store as a PFX file using the MMC. You can also choose to do this on a Windows server if IIS stores them in the certificate store. The IIS Web Server allows you to export an existing certificate to PFX directly from the server certificate store. The private key and CSR are created during the creation of a CSR request in IIS and the certificate is reimported when issued (both steps can be found in the video guide ). Exporting is very simple - right-click on the certificate and select Export. After you choose a password to protect the PFX file, it is saved to disk.

Export SSL certificate from IIS

Import a new certificate and create a PFX

Unfortunately, this is not possible. The Windows certificate store does not allow you to import a separate private key from a file, so in MMC you do not merge keys to PFX as in OpenSSL. You can only import PFX into an IIS web server, so what is in the previous case. If you need to import a new certificate into Windows Server and there is no private key on the server (you did not create a CSR request on the server), you can follow these steps:

  • Create PFX elsewhere (OpenSSL or otherwise) and then import the certificate using PFX
  • Create a new CSR request on the server and perform a reissue of the certificate.
Reissue means that the certificate will be reissued free of charge and you can import it to an existing private key. You can do this yourself in customer administration.

Create a PFX using a third-party application

You can create a .pfx file from separate keys in a graphics program to bypass the need to use OpenSSL in the terminal. The best program for this purpose is opensource XCA. In this intuitive program, you can manage all your certificates and keys. The main advantage is the automatic matching of the corresponding keys to each other; you do not have to look for which private key belongs to which certificate. Importing keys is easy and you can export to all known formats.

XCA program for managing encryption keys