Create a .pfx/.p12 Certificate File Using OpenSSL

SSL Support Team

3 years ago

SSL.com provides a wide variety of SSL/TLS server certificates for HTTPS websites, including:

Note: This article does not apply to SSL.com code signing and document signing certificates. These types of certificates cannot be generated as .pfx files and their private keys cannot be exported. SSL.com code signing and document signing certificates and their private keys can only be generated and stored in the eSigner cloud signing environment, a Yubikey device, or a supported Cloud HSM.

In cryptography, the PKCS#12 or PFX format is a binary format often used to store all elements of the chain of trust, such as the server certificate, any intermediate certificates, and the private key into a single encryptable file. PFX files are usually found with the extensions .pfx and .p12. PFX files are typically used on Windows and macOS machines to import and export certificates and private keys.

Requirements

The original private key used for the certificate
A PEM (.pem, .crt, .cer) or PKCS#7/P7B (.p7b, .p7c) File
OpenSSL (included with Linux/Unix and macOS, and easily installed on Windows with Cygwin)

The commands below demonstrate examples of how to create a .pfx/.p12 file in the command line using OpenSSL:

PEM (.pem, .crt, .cer) to PFX

openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile more.crt

Breaking down the command:

openssl – the command for executing OpenSSL
pkcs12 – the file utility for PKCS#12 files in OpenSSL
-export -out certificate.pfx – export and save the PFX file as certificate.pfx
-inkey privateKey.key – use the private key file privateKey.key as the private key to combine with the certificate.
-in certificate.crt – use certificate.crt as the certificate the private key will be combined with.
-certfile more.crt – This is optional, this is if you have any additional certificates you would like to include in the PFX file.

After entering the command, you will be prompted to enter and verify an export password to protect the PFX file. Remember this password! You will need it when you wish to export the certificates and key.

If you are creating a PFX to install on Azure Web Apps, or another service requiring a PFX file for SSL/TLS installation, it is recommended to include a full chain of trust in your PFX. You can do this by downloading the Apache download link from your SSL.com account, and including both your website certificate and the file named ca-bundle-client.crt in your PFX file. For example:

openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile ca-bundle-client.crt

PKCS#7/P7B (.p7b, .p7c) to PFX

P7B files cannot be used to directly create a PFX file. P7B files must be converted to PEM. Once converted to PEM, follow the above steps to create a PFX file from a PEM file.

openssl pkcs7 -print_certs -in certificate.p7b -out certificate.crt

Breaking down the command:

openssl – the command for executing OpenSSL
pkcs7 – the file utility for PKCS#7 files in OpenSSL
-print_certs -in certificate.p7b – prints out any certificates or CRLs contained in the file.
-out certificate.crt – output the file as certificate.crt

Note: You can also use OpenSSL to extract the certificates and private key from a PKCS#12/PFX file.

For more helpful how-tos and the latest cybersecurity news, subscribe to SSL.com’s newsletter here:

Video

https://www.youtube.com/watch?v=-i7ugO8AVN4

Thank you for choosing SSL.com! If you have any questions, please contact us by email at Support@SSL.com, call 1-877-SSL-SECURE, or just click the chat link at the bottom right of this page. You can also find answers to many common support questions in our knowledgebase.