Create a .pfx/.p12 Certificate File Using OpenSSL

How to create a .pfx/.p12 certificate from the command line using OpenSSL.

Note: This article does not apply to SSL.com code signing and document signing certificates. These types of certificates cannot be generated as .pfx files and their private keys cannot be exported. SSL.com code signing and document signing certificates and their private keys can only be generated and stored in the eSigner cloud signing environment, a Yubikey device, or a supported Cloud HSM.

In cryptography, the PKCS#12 or PFX format is a binary format often used to store all elements of the chain of trust, such as the server certificate, any intermediate certificates, and the private key into a single encryptable file. PFX files are usually found with the extensions .pfx and .p12. PFX files are typically used on Windows and macOS machines to import and export certificates and private keys.

Requirements

  • The original private key used for the certificate
  • A PEM (.pem, .crt, .cer) or PKCS#7/P7B (.p7b, .p7c) File
  • OpenSSL (included with Linux/Unix and macOS, and easily installed on Windows with Cygwin)

The commands below demonstrate examples of how to create a .pfx/.p12 file in the command line using OpenSSL:

PEM (.pem, .crt, .cer) to PFX

openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile more.crt

Breaking down the command:

  • openssl – the command for executing OpenSSL
  • pkcs12 – the file utility for PKCS#12 files in OpenSSL
  • -export -out certificate.pfx – export and save the PFX file as certificate.pfx
  • -inkey privateKey.key – use the private key file privateKey.key as the private key to combine with the certificate.
  • -in certificate.crt – use certificate.crt as the certificate the private key will be combined with.
  • -certfile more.crt – This is optional, this is if you have any additional certificates you would like to include in the PFX file.
After entering the command, you will be prompted to enter and verify an export password to protect the PFX file. Remember this password! You will need it when you wish to export the certificates and key.
If you are creating a PFX to install on Azure Web Apps, or another service requiring a PFX file for SSL/TLS installation, it is recommended to include a full chain of trust in your PFX. You can do this by downloading the Apache download link from your SSL.com account, and including both your website certificate and the file named ca-bundle-client.crt in your PFX file. For example:

openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile ca-bundle-client.crt

Apache download link

PKCS#7/P7B (.p7b, .p7c) to PFX

P7B files cannot be used to directly create a PFX file. P7B files must be converted to PEM. Once converted to PEM, follow the above steps to create a PFX file from a PEM file.

openssl pkcs7 -print_certs -in certificate.p7b -out certificate.crt

Breaking down the command:

  • openssl – the command for executing OpenSSL
  • pkcs7 – the file utility for PKCS#7 files in OpenSSL
  • -print_certs -in certificate.p7b – prints out any certificates or CRLs contained in the file.
  • -out certificate.crt – output the file as certificate.crt
Note: You can also use OpenSSL to extract the certificates and private key from a PKCS#12/PFX file.

 

Video

Thank you for choosing SSL.com! If you have any questions, please contact us by email at Support@SSL.com, call 1-877-SSL-SECURE, or just click the chat link at the bottom right of this page. You can also find answers to many common support questions in our knowledgebase.

For more helpful how-tos and the latest cybersecurity news, subscribe to SSL.com’s newsletter here: 

Stay Informed and Secure

SSL.com is a global leader in cybersecurity, PKI and digital certificates. Sign up to receive the latest industry news, tips, and product announcements from SSL.com.

We’d love your feedback

Take our survey and let us know your thoughts on your recent purchase.