why do we need the pfx (key exchange) file?

Question

Hello everyone,

If we make the private key exportable (using -pe option in makecert), then in theory we have both an exportable private key and the public key (public key in certificate) -- which can be transferred or imported to another machine.

So, my question is, why do we still need to create the .pfx file (key exchange file, which contains private and public keys) -- making the private key exportable in certificate could do anything we want? Any scenarios pfx file could cover which making private key exportable in certificate could not achieve?

thanks in advance, George

Answer 1

Your pfx file can be password protected, that would add a layer of protection

Answer 2

Is there a makecert command line you have found that will generate a certificate file that includes a private key? I never have. I have seen someone allude to the fact that there is a version of makecert that can produce .pfx files but also have never seen that.

That means at the very best you can create TWO files with makecert if you want a private key file. One for the certificate and one for the private key. You can copy both those files to another computer and import them using makecert.

The advantage of the .pfx certificate format is that you can combine the two files with the certificate and private key into one. This is more convenient and also means you can use the file with the .Net X509Certificate2 class for use with an SslStream.

Answer 3

To point out what Sébastien already mentioned:
Your PFX file can be password protected.
That adds ANOTHER layer of security.

The key can be encrypted with a password, right. but for most server applications this is not suitable because a keys password must be entered via keyboard each time it gets "used". (each time you restart your server, restart the server application, ..)

If you export your key+certificate in a password encrypted PFX and you copy that file to your USB stick and it gets stolen, you are safe. well, i dont know how strong the PFX encryption methods are, but at least not just anybody can use it.
in some companies, the stolen key+certificate could cost you a lot of reputation if not your job.. a situation which could have been easily avoided by encrypting key+certificate in a PFX container.

Another bonus is that you can import that keypair with an easy double-click (and a password) and start using it in IIS.

Answer 4

The problem is, the X509 Certificate standard (the certificate) does not include the private key. The certificate contains the subject public key info (aka, the public key) and information about the holder of the private key, but the standard does not support including the private key. This is the basic idea of PKI - the certificate is the public info you share with the world, the private key is something you hold very securely.

Making a private key exportable in any mechanism (for example, makecert), means you are telling that product that the key can be exported. It doesn't specify the file format that you would use to store it. A pfx file is one way of storing the private key - it uses the PKCS 12 standard. Java Key Stores (*.jks) are another way to do the same thing. Most commerically supported standards have similar common features - they protect the private key by encrypting it. The encryption can be unlocked using a password. They couple the private key with the certificate that decribes it.

Answer 5

If you want to build a PFX file, you should have both x509 cert public key and private key file which you can generate using makecert command. PFX can be generated using PVk2PFX command which you can find Microsoft SDK installation directiory.