Create a .pfx/.p12 Certificate File Using OpenSSL

Create a .pfx/.p12 Certificate File Using OpenSSL

In cryptography, the PKCS#12 or PFX format is a binary format often used to store all elements of the chain of trust, such as the server certificate, any intermediate certificates, and the private key into a single encryptable file. PFX files are usually found with the extensions .pfx and .p12. PFX files are typically used on Windows and macOS machines to import and export certificates and private keys.

Requirements

• The original private key used for the certificate
• A PEM (.pem, .crt, .cer) or PKCS#7/P7B (.p7b, .p7c) File
• OpenSSL (included with Linux/Unix and macOS, and easily installed on Windows with Cygwin)

 

The commands below demonstrate examples of how to create a .pfx/.p12 file in the command line using OpenSSL:

PEM (.pem, .crt, .cer) to PFX

openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile more.crt

Breaking down the command:

• openssl – the command for executing OpenSSL
• pkcs12 – the file utility for PKCS#12 files in OpenSSL
• -export -out certificate.pfx – export and save the PFX file as certificate.pfx
• -inkey privateKey.key – use the private key file privateKey.key as the private key to combine with the certificate.
• -in certificate.crt – use certificate.crt as the certificate the private key will be combined with.
• -certfile more.crt – This is optional, this is if you have any additional certificates you would like to include in the PFX file.

After entering the command, you will be prompted to enter and verify an export password to protect the PFX file. Remember this password! You will need it when you wish to export the certificates and key.

If you are creating a PFX to install on Azure Web Apps, or another service requiring a PFX file for SSL/TLS installation, it is recommended to include a full chain of trust in your PFX. You can do this by downloading the Apache download link from your SSL.com account, and including both your website certificate and the file named ca-bundle-client.crt in your PFX file. For example:

openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile ca-bundle-client.crt

Difference between .pfx and .cert certificates

What is the difference between .pfx and .cert certificate files?

Do we distribute .pfx or .cert for client authentication?

回答1

There are two objects: the private key, which is what the server owns, keeps secret, and uses to receive new SSL connections; and the public key which is mathematically linked to the private key, and made "public": it is sent to every client as part of the initial steps of the connection.

The certificate is, nominally, a container for the public key. It includes the public key, the server name, some extra information about the server, and a signature computed by a certification authority (CA). When the server sends its public key to a client, it actually sends its certificate, with a few other certificates (the certificate which contains the public key of the CA which signed its certificate, and the certificate for the CA which signed the CA's certificate, and so on). Certificates are intrinsically public objects.

Some people use the term "certificate" to designate both the certificate and the private key; this is a common source of confusion. I personally stick to the strict definition for which the certificate is the signed container for the public key only.

A .pfx file is a PKCS#12 archive: a bag which can contain a lot of objects with optional password protection; but, usually, a PKCS#12 archive contains a certificate (possibly with its assorted set of CA certificates) and the corresponding private key.

On the other hand, a .cert (or .cer or .crt) file usually contains a single certificate, alone and without any wrapping (no private key, no password protection, just the certificate).

评论：

Certificates are public data; everybody has them. But client authentication is about having the client do something that only that client can do; so the client must know something which is not public, and that's the private key. Thus, the client must have a private key along with its certificate; if the key was generated out of the client browser, then the expected setup is to import it into the client along with the certificate. Therefore, a .pfx file.

– Thomas Pornin

Jan 21 '13 at 13:26

 

 

回答2

I know this is a year-old thread, but for future readers, as mentioned above, no you do not distribute the .pfx file because that is the file containing the private key. You can extract and distribute the certificate (which is public) from the .pfx file via the method described here: https://stackoverflow.com/questions/403174/convert-pfx-to-cer

PKCS #12

In cryptography, PKCS #12 defines an archive file format for storing many cryptography objects as a single file.

It is commonly used to bundle a private key with its X.509 certificate or to bundle all the members of a chain of trust.