MyCertStatus
MyCertStatus
Advertisement 728 × 90

What is a .pfx Certificate?

The all-in-one certificate bundle used on Windows, IIS, and Azure

A .pfx file (Personal Information Exchange) is a PKCS#12 archive that packages your SSL/TLS certificate, private key, and any intermediate certificates into a single, password-protected file. Instead of managing separate files, you hand over one bundle — which is exactly what Windows servers, IIS, Azure App Service, and many load balancers expect.

What's Inside a .pfx File?

A typical .pfx archive contains up to three things:

  • Your SSL/TLS certificate — the public certificate that gets sent to browsers during the TLS handshake.
  • Your private key — the secret key that proves ownership of the certificate. Because this is included, the file must be password-protected.
  • Intermediate certificates (chain) — the CA certificates that bridge the gap between your certificate and a trusted root CA, so browsers can verify the full chain of trust.

.pfx vs .p12 — What's the Difference?

Nothing meaningful. .pfx and .p12 are both PKCS#12 files — the same binary format with a different file extension. .pfx is the Microsoft/Windows naming convention, while .p12 is more common on macOS and in Java environments. You can rename one to the other and it will work — the internal format is identical.

Certificate File Formats at a Glance

SSL deployments involve several file types, each serving a distinct purpose:

Extension Contents Typical Use
.pfx / .p12 Certificate + private key + chain Windows, IIS, Azure, load balancers
.crt / .cer Public certificate only Linux/Apache/Nginx, sharing with clients
.key Private key only Linux/Apache/Nginx, paired with .crt
.pem Base64-encoded — can be cert, key, or both Linux servers, OpenSSL tooling

When Do You Need a .pfx File?

You'll typically need a .pfx when deploying to:

  • Windows Server / IIS — the Certificate Manager and IIS import wizard both expect .pfx format.
  • Azure App Service — uploading a custom TLS binding requires a .pfx with the full chain.
  • Azure Application Gateway / Front Door — same requirement as App Service.
  • Some load balancers and CDNs — hardware appliances (F5, Citrix ADC) often accept .pfx for certificate imports.
  • Migrating certificates between servers — exporting from one server and importing to another is easiest with .pfx because it keeps everything together.

Creating a .pfx File

If your CA gave you separate .crt and .key files, you can bundle them into a .pfx using OpenSSL: 

openssl pkcs12 -export \
  -out certificate.pfx \
  -inkey private.key \
  -in certificate.crt \
  -certfile ca-chain.crt

You'll be prompted to set an export password — keep it safe, as it's required whenever the .pfx is imported.

Security Considerations

Because a .pfx contains your private key, it deserves extra care:

  • Always set a strong export password. An unprotected .pfx file is as sensitive as an unencrypted private key.
  • Limit who has access. Treat the file like a credential — store it in a secrets manager or key vault, not in a shared drive.
  • Delete copies you no longer need. The more copies floating around, the higher the risk of compromise.
  • Revoke and replace if lost. If a .pfx file is exposed, treat the private key as compromised and reissue the certificate.

Tip: Use our free SSL certificate checker to verify that the certificate inside your .pfx is valid and hasn't expired before deploying it to your server.

Advertisement 320 × 90

Learn More About SSL Certificates

What is an SSL Certificate?

The foundation of web security and encrypted connections

Types of SSL Certificates

DV, OV, EV, wildcard, and multi-domain certificates

How Does SSL/TLS Work?

Deep dive into the TLS handshake and encryption

Check Your SSL Certificate

Free tool to verify certificate status and details