A PFX file is a certificate in PKCS#12 format. It contains the SSL certificate (public keys) and the corresponding private keys.
Most of the Certificate Authorities will not issue certificates with the private key. They just issue and share the certificates in .cer, .crt, and .p7b formats which don’t have the private key in most of the cases.
But, sometimes our application needs the certificate in .pfx format.
Now, we have a .cer certificate in our hand, but we need a .pfx certificate to deploy. And, we can’t convert the .cer certificate to .pfx without the private key.
This problem has created confusion in most people and may create delays in the certificate deployment/renewal process. This topic provides instructions on how to convert the .pfx file to .crt and .key files.
What is a PFX file
The certificate is, nominally, a container for the public key. It includes the public key, the server name, some extra information about the server, and a signature computed by a certification authority (CA). When the server sends its public key to a client, it actually sends its certificate, with a few other certificates (the certificate which contains the public key of the CA which signed its certificate, and the certificate for the CA which signed the CA’s certificate, and so on). Certificates are intrinsically public objects.
A .pfx file is a PKCS#12 archive: a bag that can contain a lot of objects with optional password protection; but, usually, a PKCS#12 archive contains a certificate (possibly with its assorted set of CA certificates) and the corresponding private key.
Security of the PFX file
The PFX file is always password protected because it contains a private key. When creating a PFX, choose a password responsibly, as it can protect us from misuse of the certificate.
An attacker would be pleased if the password to the stolen PFX file was “12345” – he could start using the certificate all the time immediately.
How to create a single .pfx file with OpenSSL
OpenSSL is a library (program) available on any Unix operating system. If we have a Linux server or work on Linux, then OpenSSL is definitely among the available programs (in repository).
In OpenSSL, separately stored keys must be used in a single PFX (PKCS#12) file. So join existing keys to PFX:
- openssl pkcs12 -export -in linux_cert+ca.pem -inkey privateky.key -out output.pfx
When we enter the password protecting the certificate, the output.pfx file will be created in the directory (where we are located).
How to extract the private key from the pfx file
Run the following command to extract the private key:
- openssl pkcs12 -in output.pfx -nocerts -out private.key
We will be prompted to type the import password. Type the password that we used to protect our keypair when we created the .pfx file.
We will be prompted again to provide a new password to protect the .key file that we are creating. Store the password to our key file in a secure place to avoid misuse.
Run the following command to extract the certificate:
- openssl pkcs12 -in output.pfx -clcerts -nokeys -out certificate.crt
Run the following command to decrypt the private key:
- openssl rsa -in private.key -out decrypted.key
Type the password that we created to protect the private key file in the previous step.
Now we have the private key and certificate now.
A PFX file is a certificate in PKCS#12 format. PKCS#12 is a standard for a container that can hold an X509 client certificate and the corresponding private keys, as well as (optionally) the X509 certificates of the CAs that signed the X509 client certificate(s).