GlobalSign Blog

PKCS#12 (.pfx file): A Simpler Way to Create a Digital Certificate

PKCS#12 (.pfx file): A Simpler Way to Create a Digital Certificate

Editor's Note: As of 2024, this article has been reviewed and updated in accordance with the latest standards/conventions for PKCS#12.

A PKCS#12 or .pfx file is a file which contains both private key and X.509 certificate, ready to be installed by the customer into servers such as IIS, Apache Tomcat or Exchange. Certificate Signing Request (CSR) generation remains one of the consistent problem areas faced by customers wishing to secure their server. PKCS#12 removes the need for the customer to create their own CSR. Instead, a Certificate Authority securely creates the CSR on behalf of the customer during the certificate application process.

The Journey of a .pfx File

PKCS#12 files can be generated for Domain Validated SSL/TLS (DV) and Organization Validated SSL (OV) Certificates. Extended Validation Certificates SSL/TLS (EV) must go through the manual certificate signing request generation as the vetting process will not allow for automated CSR. When delivering Digital Certificates and private keys to Document Signing Certificate or Code Signing Certificate orders (except for Java) .pfx file delivery is the default. Here's what you need to know about the process from application to installation.

Application

During the application process, instead of asking you to generate your own CSR, you are promoted to a password for your PKCS#12 file. This password is concatenated with a GlobalSign system generated password to provide a long and strong password, which is needed to decrypt and install the PKCS#12 once delivered. We then delete the PKCS#12 from our system after 30 days, for security. You are also asked for the DN (Distinguished Name) information needed to issue the certificate. For the two types of certificates available, the DN requirements are:

Domain Validated SSL/TLS: the certificate common name (the domain where the certificate will be used) and country.

Organization Validated SSL/TLS: the certificate common name (the domain name where the certificate will be used), organization name, department, state and country.

Vetting

Vetting is identical to standard applications and dependent on the certificate type.

Domain Validated SSL/TLS:

GlobalSign sends an approval email to the owner of the domain name referenced in the application. The domain owner / controller must approve the application. We also support DNS and meta-tag Domain Validation methods.

Organization Validated SSL/TLS:

GlobalSign validates company ownership via third-party databases and the applicant's right to use the domain referenced in the application. 

Certificate Delivery

The issued certificate is delivered in a PKCS#12 file containing both private key and certificate. The PKCS#12 is made available to partners through GlobalSign's Certificate Center (GCC) or through our API. End customers can then install their PKCS#12 file using instructions from the GlobalSign Support Center.

How to Install a PKCS#12 or .pfx File

Instructions vary depending on your system and browser. You can find our installation guides in the list below.

GlobalSign Installation Guides

We offer several installation guides from our support website to help you download and install your PKCS#12 file with ease. If you have any problems don't hesitate to contact our support team.

Is a PKCS#12 File Secure?

Often, we are asked about the level of security when generating a CSR for our customers. As we generate the private key ourselves, we must be extra careful to ensure it remains secure. To do this GlobalSign follows strict procedures and guidelines. The key pair is generated using random numbers depending on several factors. FIPS 140 Level 3 cryptographic hardware is utilized to generate your key pair and certificate request. Lastly, to secure the .pfx file in transit, GlobalSign uses a high protection password up to 50 characters in length, our system appends another eight random characters. 

It is also worth noting that GlobalSign never stores the private keys of our customers on our own servers. Once your private key is sent, you then have complete access.

A PKCS#12 or .pfx file is a simpler way to create a Digital Certificate. It can save time and eliminate difficulty in generating your own CSR if you are less certain on how to do this. While generation of a .pfx file is not available for all Digital Certificates it does cover a range of solutions.

If you are looking to purchase a Digital Certificate with GlobalSign by generating a PKCS#12 file, then get in touch with us today or purchase your certificate through our website.

Share this Post

Recent Blogs