Howto create a PFX File

3 Aug

In this topic I hope to give a little information about certificates, PFX files and how to export them into other formats. A lot of applications require a certificate in some format (encrypted or not) to encrypt their datastream. In this topic I’m going to to cover how to create a PFX file. A PFX file is an encrypted file that contains both your public and your private key, and is password protected. I’m not going to cover how pki works, but just click this link or use Google and you’ll find all the information you need.

Step 1: Generating your Certificate Signing Request (CSR)

This step will be familiar to most IT people. How to generate a CSR that you can use to request a certificate from a (non-)commercial Certificate Authority. For those of you who don’t know. What I’ll always do (and believe is the easiest way) is just to use plain old IIS.

The first step is to determine the Common Name for your certificate. For instance when you’re going to use it for your Access Gateway, and you want to connect to it with then your Common Name in this case will be: . It’s very important to get the common name right, else you’ll get certificate errors. Now open up your IIS server and open the IIS admin tool.

  • Create a new website. Just give it a name (common name is good) and leave all the settings default
  • When you created your website, just stop it. You don’t need to use it. You only need it for your certificates
  • Open up the properties of the website and click the Directory Security tab.
  • On that tab you’ll find a button called Server Certificates, click it
  • Now we’re in business, this is where you create your CSR.
    • In the welcome screen click next
    • Click next in the prepare the request…… screen
    • Name the certificate after your Common Name, click next
    • Now you need to fill in an Organization and an Organizational Unit. Your company’s security department probably has a policy about that. And if not, just fill in what you think needs to be there.
    • After that you (finally) need to fill in your Common Name. Triple check if before you click next. Everything you mess up here will give certificate errors later when you receive the cert (note: you cannot order commercial certificates on .local addresses)
    • Next fill in your countrycode, province/state and city/locality
    • Click next to save your file and finish to close the wizard.
    • Now you can use the contents of the file to request a certificate with a CA.

Do’s and Don’ts when you created a CSR

So this is for the people that like to click things and show things to other people after they figured something out (like me).

  • Do NOT create another CSR on the same website. You’ll will overwrite the private key that’s generated and your certificate will be useless
  • Do NOT delete the website you created. Same story, private key will be gone.
  • Do NOT de-install IIS or redeploy your server etc. etc.
  • Maybe the best idea, don’t touch it until you received your certificate 😉

Importing your certificate

After probably a long wait you receive your certificate. Now you’re ready to import it. To do this open up your IIS server again. Again click the properties of your website and open up the Server Certificates wizard.

  • Now choose Process the pending request and click next
  • Browse to your certificate (probably a .csr or .crt file) and select it
  • Click next until you reach finish and your done.

Exporting your private key and public key in a .pfx file

Now this is what this document is all about. If you did everything right in the steps above you now have a website that contains both the private key as the public key. Now let’s export them into a .pfx

  • Again follow all the steps above to get to the Server Certificates wizard
  • Now choose Export the certificate to a .pfx file and click next.
  • Make up a nice and strong password to protect your keypair and click next – of course do not lose it.
  • Click finish to save your .pfx file.
  • Save your .pfx file to a safe location.

Now you’re done. You exported and saved your keypair and can do all the stuff in the do’s and don’ts section of this article. But, if for some reason the export to .pfx option greyed out, then you messed up. Sorry mate. You’re probably importing this certificate on the wrong website, or you messed something else up with the private key. Or somebody else messed up. In all cases, Your private key isn’t on this website anymore. You need to recreate your CSR and send it to your CA again to get another certificate. You’ll probably get a new one for free if you do this within the first month.

Using OpenSSL to generate a .pem file

Well this isn’t really the place to cover OpenSSL. However I’m going to share 2 commands with you you will probably use most. If you have applications or appliances that need a different private key format then a .pfx file they probably will accept a .pem file. Use the following commands to get the private key out of your .pfx file and convert it into a .pem format

openssl pkcs12 -in c:\certs\yourcert.pfx -out c:\certs\cag.pem –nodes

This command will create an unencrypted .pem file. In other words your private key is unencrypted, and not protected with a password anymore

openssl pkcs12 -in c:\certs\yourcert.pfx -nocerts -out c:\certs\cag.pem

This command will ask for your .pfx password and then will encrypt your .pem file as well. It’s a good choice to assign the same password to your .pfx file and .pem file, cause some applications require both files if you enable SSL and only give you 1 field to put in a passphrase. In that case the passphrase need to be the same for both the .pfx file as the .pem file

If you need more information about OpenSSL then check this blog

OpenSSL for Windows can be downloaded here


Leave a Reply