Editor's Note: As of 2024, this article has recently been reviewed and updated in accordance with the latest standards/conventions for PKCS#12.
A PKCS#12 or .pfx file is a file which contains both private key and X.509 certificate, ready to be installed by the customer into servers such as IIS, Apache Tomcat or Exchange. Certificate Signing Request (CSR) generation remains one of the consistent problem areas faced by customers wishing to secure their server. PKCS#12 removes the need for the customer to create their own CSR. Instead, a Certificate Authority securely creates the CSR on behalf of the customer during the certificate application process.
The Journey of a .pfx File
PKCS#12 files can be generated for Domain Validated SSL/TLS (DV) and Organization Validated SSL (OV) Certificates. Extended Validation Certificates SSL/TLS (EV) must go through the manual certificate signing request generation as the vetting process will not allow for automated CSR. When delivering Digital Certificates and private keys to Document Signing Certificate or Code Signing Certificate orders (except for Java) .pfx file delivery is the default. Here's what you need to know about the process from application to installation.
Application
During the application process, instead of asking you to generate your own CSR, you are promoted to a password for your PKCS#12 file. This password is concatenated with a GlobalSign system generated password to provide a long and strong password, which is needed to decrypt and install the PKCS#12 once delivered. We delete the PKCS#12 from our system after 30 days, for security. You are also asked for the DN (Distinguished Name) information needed to issue the certificate. For the two types of certificates available, the DN requirements are:
Domain Validated SSL/TLS: the certificate common name (the domain where the certificate will be used) and country.
Organization Validated SSL/TLS: the certificate common name (the domain name where the certificate will be used), organization name, department, state and country.
Vetting
Vetting is identical to standard applications and dependent on the certificate type.
Domain Validated SSL/TLS:
GlobalSign sends an approval email to the owner of the domain name referenced in the application. The domain owner / controller must approve the application. We also support DNS and meta-tag Domain Validation methods.
Organization Validated SSL/TLS:
GlobalSign validates the company ownership via third party databases and also validates the right for the applicant to use the domain referenced in the application.
Certificate Delivery
The issued certificate is delivered in a PKCS#12 file containing both private key and certificate. The PKCS#12 is made available to partners through GlobalSign's Certificate Center (GCC) or through our API. End customers can then install their PKCS#12 file using instructions from the GlobalSign Support Center.
How to Install a PKCS#12 or .pfx File
Instructions vary depending on your system and browser. You can find our installation guides in the list below.
GlobalSign Installation Guides
We offer a number of installation guides from our support website to help you download and install your PKCS#12 file with ease. If you have any problems don't hesitate to contact our support team.
- Install PKCS#12 File - MAC OS Firefox
- Install PKCS#12 File - Windows Using Opera
- Install PKCS#12 File - Microsoft Exchange 2007
- Install PKCS#12 File - Linux Ubuntu Using Chrome
- Install AutoCSR/PFX/PKCS#12 - JBoss
- Install PKCS#12 File - MAC OSX for Safari & Chrome
- Install AutoCSR/PFX/PKCS#12 - Internet Information Services (IIS) 7
- Install PKCS#12 File - Linux Ubuntu Using Firefox
- Install PKCS#12 File - Linux Ubuntu Using Opera
- Install a PKCS#12 File - Android Devices
- Install a PKCS#12 File - Document Signing Certificate
Is a PKCS#12 File Secure?
Often, we are asked about the level of security when generating a CSR for our customers. As we generate the private key ourselves, we have to be extra careful in order to make sure it remains secure. To do this GlobalSign follows strict procedures and guidelines. The key pair is generated using random numbers depending on a number of factors. FIPS 140 Level 3 cryptographic hardware is utilized to generate your key pair and certificate request. Lastly, to secure the .pfx file in transit, GlobalSign uses a high protection password up to 50 characters in length, our system appends another eight random characters.
It is also worth noting that GlobalSign never stores the private keys of our customers on our own servers. Once your private key is sent, you then have complete access.
A PKCS#12 or .pfx file is a simpler way to create a Digital Certificate. It can save time and eliminate difficulty in generating your own CSR if you are less certain on how to do this. While generation of a .pfx file is not available for all Digital Certificates it does cover a range of solutions.
If you are looking to purchase a Digital Certificate with GlobalSign by generating a PKCS#12 file then get in touch with us today or purchase your certificate through our website.
