Hello S-1-1-0, PowerShell Crypto Guy still here and today we will talk about the subject. Sometimes you have to use 3rd party applications/tools for certificate request generation. Some of them uses Windows certificate store to store request and a corresponding private keys, but others generates a request file and separate file with unencrypted private key. As a common example are makecert.exe and openssl.exe tools. These applications creates a request file (mostly with .CSR or .REQ file extension) and private key file (mostly with .KEY or .PVK file extension) for UNIX-like systems compatibility. Once certificate request is signed you get a standard X.509 certificate file.

The problem occurs when you try to import this certificate to the Windows certificate store. Obviously it will be imported without private key because Certificate Import Wizard don't know anything about separate private key file. There are at least 3 tools that can join (or convert) these files to a single pkcs12/PFX file:

The following syntax is used for OpenSSL:

OpenSSL.exe pkcs12 –export –in certfile.cer –inkey certfile.key –out certfile.pfx

Also here is online (web-based) version of OpenSSL tool: https://www.sslshopper.com/ssl-converter.html

The following syntax is used for certutil:

certutil –MergePFX certfile.cer certfile.pfx

Since there is no way to specify private key file for –MergePFX parameter you must consider the following requirements:

  • Private key file MUST have .KEY extension;
  • certificate and private key files MUST have the same base file name (file name excluding extension);
  • certificate and private key file must be placed in the same directory.

The following syntax is used for pvk2pfx:

pvk2pfx –pvk certfile.pvk –spc certfile.cer –out certfile.pfx

And the last what I want to tell here. Unfortunately there are no universal tool for all cases. This really depends on an application that was used for key file generation. For example a key file created by OpenSSL is not compatible with certutil and pvk2pfx. A key created by makecert is compatible with pvk2pfx only and so on.


Share this article:


girts 14.09.2017 12:15 (GMT+3) How to merge certificate and private key to a PKCS#12(PFX) file

paldies, noderēja

V 30.03.2018 04:05 (GMT+3) How to merge certificate and private key to a PKCS#12(PFX) file

Well done, good article.

Matt B
Matt B 26.08.2019 22:04 (GMT+3) How to merge certificate and private key to a PKCS#12(PFX) file

Absoltuely brilliant, simple instructions. For Windows users certutil is the easiest way to combine two text files (a cer and private key) into a PFX.

Well done sir. Thank you.

Post your comment:

Please, solve this little equation and enter result below. Captcha