163

What is the difference between .pfx and .cert certificate files?

Do we distribute .pfx or .cert for client authentication?

Gilles 'SO- stop being evil'
  • 50,912
  • 13
  • 120
  • 179
Xsecure123
  • 1,753
  • 2
  • 11
  • 8
  • 1
    Also [\[1\]](http://security.stackexchange.com/q/29425/2379), [\[2\]](http://stackoverflow.com/q/2292495/632951), [\[3\]](http://stackoverflow.com/q/22788384/632951) – Pacerier Nov 19 '16 at 22:09

4 Answers4

214

There are two objects: the private key, which is what the server owns, keeps secret, and uses to receive new SSL connections; and the public key which is mathematically linked to the private key, and made "public": it is sent to every client as part of the initial steps of the connection.

The certificate is, nominally, a container for the public key. It includes the public key, the server name, some extra information about the server, and a signature computed by a certification authority (CA). When the server sends its public key to a client, it actually sends its certificate, with a few other certificates (in a chain: the certificate which contains the public key of the CA which signed its certificate, and the certificate for the CA which signed the CA's certificate, and so on). Certificates are intrinsically public objects.

Some people use the term "certificate" to designate both the certificate and the private key; this is a common source of confusion. I personally stick to the strict definition for which the certificate is the signed container for the public key only.

A .pfx file is a PKCS#12 archive: a bag which can contain a lot of objects with optional password protection; but, usually, a PKCS#12 archive contains a certificate (possibly with its assorted set of CA certificates) and the corresponding private key.

On the other hand, a .cert (or .cer or .crt) file usually contains a single certificate, alone and without any wrapping (no private key, no password protection, just the certificate).

djangofan
  • 121
  • 5
Thomas Pornin
  • 320,799
  • 57
  • 780
  • 949
  • 3
    While doing client authentication, we require ssl client certificate to be installed on client browser. Is this .pfx file or .cert file? – Xsecure123 Jan 21 '13 at 12:31
  • 5
    Certificates are public data; _everybody_ has them. But client authentication is about having the client do something that only _that_ client can do; so the client must know something which is not public, and that's the private key. Thus, the client must have a private key along with its certificate; if the key was generated out of the client browser, then the expected setup is to import it into the client along with the certificate. Therefore, a .pfx file. – Thomas Pornin Jan 21 '13 at 13:26
  • 1
    I have got .pfx file from IIS server where my certificate is installed. Is this the .pfx file which should be distributed? Since CA provided .cert file including keys which was installed on server. – Xsecure123 Jan 22 '13 at 11:13
  • 2
    @Xsecure123 no; there's two scenarios here -- and Thomas was answering for client auth only (where each client has it's own private certificate to prove their own identity). -- It sounds like you're doing something else -- it sounds like you're using a self signed certificate in IIS, and the clients don't trust it. -- In that case, you should give the clients a .cer file from the server. -- because the clients only need the public key to trust the server. -- If they also have the private key, then they can impersonate the server, or decrypt it's traffic, and that's not something you want. – BrainSlugs83 Jan 26 '18 at 20:43
  • @BrainSlugs83: What do you mean by private cert. Thomas mentioned that certificates are public data. Can you please elaborate? – Farhan Shirgill Ansari May 05 '20 at 16:14
50

I know this is a year-old thread, but for future readers, as mentioned above, no you do not distribute the .pfx file because that is the file containing the private key. You can extract and distribute the certificate (which is public) from the .pfx file via the method described here: https://stackoverflow.com/questions/403174/convert-pfx-to-cer

tavnab
  • 601
  • 6
  • 6
  • 1
    Where should you store the pfx file securely on the server? Obviously you wouldn't want another application using your PFX file, but I don't think I'd want to store it with my application either. Would you just import it into the machine cert manager and access it programmatically? – Matt Aug 02 '16 at 04:56
  • 3
    @Matt private key management is a whole topic into itself. Some relevant answers may be found [here](http://stackoverflow.com/a/1584586/3149036) and [here](http://security.stackexchange.com/a/51776/36591) (the latter's not strictly relevant to PFX files, but still novel). The PFX file itself doesn't need to be stored on your server (i.e. if you're using IIS7, you'd import the PFX; if not, you'd extract the cert & private key from the PFX into their own files). – tavnab Aug 04 '16 at 18:51
1

What is the difference between .pfx and .cert certificate files?

The answer that @Thomas Pornin gave is pretty good.

Do we distribute .pfx or .cert for client authentication?

That depends on the process used.

The typical process for setting up an external client to authenticate using a certificate is as follows:

  1. the client generates an asymmetric key pair (public and private keys);
  2. the client generates a certificate signing request for the public key and sends this to the server;
  3. the server signs the public key and returns this signature (the "certificate") to the client;
  4. the client stores the private key along with this certificate in its keystore. Now when the client connects to the server, the certificate is presented and the client is authenticated.

In the above scenario, a ".cert" is sent back to the client.

Internally, many organizations will perform this process for their employees. In this situation, the following occurs: the IT staff generates the public and private key pair for an employee along with the certificate signing request. They then sign the public key (using their Private certificate authority) and place the resulting certificate, along with the corresponding private key and all intermediate CA certificates (the "certificate chain"), in the user's keystore.

In this scenario, a ".pfx" (or ".pem") would be appropriate as it would contain all items needed for client authentication: the private key, the certificate, and the certificate chain.

Search for "Certificate Auto-Enrollment" for a way to automate this process for your enterprise users and devices.

Yonatan
  • 3
  • 2
GLRoman
  • 111
  • 2
1

Seems to me that the .pfx PKCS#12 archive file is more like a standard keystore file (similar to cacerts file), in that it can hold multiple keys linked in a chain.

I use a program called "Keystore Explorer", to open this type of archive, and to inspect and export the cert I want and/or convert to other formats.

djangofan
  • 121
  • 5