The PKCS#12 or PFX format is a binary format for storing the server certificate, any intermediate
certificates, and the private key into a single encryptable file. PFX files are usually found with the
extensions .pfx and .p12. PFX files are typically used on Windows and macOS machines to import and
export certificates and private keys.
- The original private key used for the certificate
- A PEM (.pem, .crt, .cer) or PKCS#7/P7B (.p7b, .p7c) File
- OpenSSL (included with Linux/Unix and macOS, and easily installed on Windows with Cygwin or Windows Subsystem for Linux)
The commands below demonstrate examples of how to create a .pfx/.p12 file in the command line
openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile more.crt
Breaking down the command
openssl– the command for executing OpenSSL
pkcs12– the file utility for PKCS#12 files in OpenSSL
-export -out certificate.pfx– export and save the PFX file as certificate.pfx
-inkey privateKey.key– use the private key file privateKey.key as the private key to combine with the certificate.
-in certificate.crt– use certificate.crt as the certificate the private key will be combined with.
-certfile more.crt– This is optional, this is if you have any additional certificates you would like to include in the PFX file.
- Older versions of Windows Server will not recognize the password you set for your .pfx file even if you do not set a password. To fix this, include
-legacyoption in your command.
Note: After entering the command, you will be prompted to enter and verify an export
password to protect the PFX file. Remember this password! You will need it when you wish
to export the certificates and key.