How do I download a PFX file?

Jun 2, 2019 David Mizell How-To

What is a PFX file?

PFX fileWe are often asked how to download a PFX file.  A PFX file, also known as PKCS #12 , is a single, password protected certificate archive that contains the entire certificate chain plus the matching private key.  Essentially it is everything that any server will need to import a certificate and private key from a single file.

CAs cannot supply you with a PFX File (... or at least they shouldn't)

Private keys should be just that, private, and they are not sent to Certificate Authorities (CAs) when you order SSL certificates. When you buy an SSL certificate, you provide a Certificate Signing Request (CSR), and nothing else.  A CSR is a description of the private key which the CA then uses to generate and sign a matching public key (the server certificate).  

Your web server freely distributes the public key (your SSL server certificate) to your site visitors.  The public key is used by the browser to determine that the certificate is trusted. The visitor’s browser then uses the public key to encrypt the data its sends to your server.  The private key is used to decrypt the data by your server. For this reason you should never share your private key with anyone outside your organization as it truly is the “key to the kingdom”.

How do I create my own PFX file?

Once your SSL certificate has been approved, issued and installed on your server, the server certificate (public key) and the private key are joined to work together. At this point you can export the public key, the private key, and the CA chain into a single PFX file which can then be imported into other servers that support PFX files.

PFX for Windows Servers

Window servers have a utility through the MMC that allows you to export an installed SSL server certificate along with its corresponding private key to a PFX file.  

PKCS #12  for Linux Servers

For Linux based servers you can use OpenSSL to manage certificates and keys including creating various file bundles including PKCS #12 archives.

openssl pkcs12 -export -in certificatename.cer -inkey privateKey.key -out certificatename.pfx -certfile  cacert.cer

For other types of servers the instructions will vary depending on the type of server you are using. Please consult your server documentation or let us know if you need further help by letting us know the server software or device, including the version, that you have installed your certificate on and want to create the PFX file.