Create a PKCS#12 / PFX file with OpenSSL

For some reason I get this question a lot:

For my Linux webserver I have a SSL/TLS certificate from a CA and my private key. Buy I also want to use it on a Windows Server. How do I create a PFX file so I can easily import the certificate?

The easiest way to do this, is using OpenSSL on your webserver. But there are also OpenSSL binaries available for Windows.

What do you need to generate a PKCS#12 / PFX file?

  • The certificate for your domain
  • The private key that is¬†corresponding with this certificate
  • The intermediate certificates of the CA

In my example I have 3 files.

sebastian@research:~/Certificates/pfx$ ls
service-ca.pem service-cer.pem service-key.pem
  • service-ca.pem = the intermediate from the CA
  • service-cer.pem = the certificate for my domain
  • service-key.pem = the privcate key

With the following command you can create the PFX file:

openssl pkcs12 -export -out service.pfx -inkey service-key.pem -in service-cer.pem -certfile service-ca.pem

OpenSSL will ask you to set a password for security reasons. Remember this password. After entering this, you are finished.

sebastian@research:~/Certificates/pfx$ openssl pkcs12 -export -out service.pfx -inkey service-key.pem -in service-cer.pem -certfile service-ca.pem
Enter Export Password:
Verifying – Enter Export Password:

To check a PKCS12 or PFX file, you can run this command:

openssl pkcs12 -info -in service.pfx

It ask you several times for the password that you used to get all information.

sebastian@research:~/Certificates/pfx$ openssl pkcs12 -info -in service.pfx
Enter Import Password:
MAC:sha1 Iteration 2048
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048
Certificate bag
Bag Attributes
localKeyID: 8F 00 8A 50 4B 27 4B 1A 21 A1 13 7E 4E FA 56 87 78 E4 00 91
subject=/CN=service.xxxx.nl
issuer=/C=NL/O=Trust Provider B.V./OU=Domain Validated SSL/CN=Trust Provider B.V. TLS RSA CA G1
-----BEGIN CERTIFICATE-----
MIIGFTCCBP2gAwIBAgIQB25+xctodWXWr4G8Z2kJMTANBgkqhkiG9w0BAQsFADB2
9zBYYlxcH6tAaG0P8Swbs/UQd1uiEjofZWJaS5TL0QhabNn4LUfJOABHkwqv6dJc
LWXfeo5a6LslgkjsX/wDCBteAbFFneyOaA==
-----END CERTIFICATE-----
Certificate bag
Bag Attributes: <No Attributes>
subject=/C=NL/O=Trust Provider B.V./OU=Domain Validated SSL/CN=Trust Provider B.V. TLS RSA CA G1
issuer=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root G2
-----BEGIN CERTIFICATE-----
MIIEsjCCA5qgAwIBAgIQDsQR7fAC9zA2xOXULz408jANBgkqhkiG9w0BAQsFADBh
8iyF7aYLP9rUBg+UEJ0s55VrTPKUDYyuAKXyODwgmtuYiZMDrQPcwGfRO1GDghIT
3dI21ici
-----END CERTIFICATE-----
PKCS7 Data
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048
Bag Attributes
localKeyID: 8F 00 8A 50 FB 27 F8 1A 21 A1 13 7E 5E FA 56 87 78 E4 00 91
Key Attributes: <No Attributes>
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIFHDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQIk+eDqk520VICAggA
X1YZEYnnhTp0abOi6/ART1dh4x1KRPT5DjbUVyLdH4vwnFl1gTiWMwROzOrkERXU
icsavzmZ3xRDX02OvYG/EQ==
-----END ENCRYPTED PRIVATE KEY-----

Some information is changed in this example. But you can see on your machine that is works.