Generate a PFX/P12 File for Azure with Windows

How to create a PFX/P12 file with private key and complete chain of trust in Windows for import into Azure.

Related Content

Want to keep learning?

Subscribe to SSL.com’s newsletter, stay informed and secure.

Note: This article does not apply to SSL.com code signing and document signing certificates. The private keys of these types of certificates cannot be exported and they cannot be generated as .pfx files. SSL.com code signing and document signing certificates and their private keys can only be generated and stored in the eSigner cloud signing environment, a Yubikey device, or a supported Cloud HSM.

Time needed: 30 minutes

This tutorial will show you how to generate a PFX/P12 file with Windows and IIS for uploading an SSL/TLS certificate along with it’s private key and complete chain of trust. A PFX file of this type is helpful when installing a website certificate in Azure Web Apps.

  1. Generate private key and CSR.

    Generate a new private key and CSR by following the steps in Generate a Certificate Signing Request (CSR) in Windows IIS 10.
    Create Certificate Request

  2. Open the CSR in a text editor.

    Open your new CSR in a text editor for submission to SSL.com.
    CSR in Notepad

  3. Order or re-process a certificate in your SSL.com account.


    • If you are ordering a new certificate, follow the instructions in Ordering and Retrieving SSL/TLS Certificates. In step 11, copy and paste your CSR into the CSR field.

    • If you are reprocessing an existing certificate order, follow the instructions in Reprocess a Certificate. In step 3, do not check use previous csr. Copy and paste your new CSR into the CSR field.

    Add CSR for reprocessing

  4. Download Apache package.

    When the certificate is issued, choose the Apache download link from your certificate order. Unzip the file after downloading.

    Apache download link

  5. Install website certificate.

    Double-click the certificate with your website’s domain name. Click the Open button to dismiss the security warning if it appears. When the Certificate window appears, Click the Install Certificate button. In the Certificate Import Wizard, select the Local Machine store location, then Automatically select the certificate store based on the type of certificate.

    Install certificate

  6. Install CA bundle.

    Repeat step 5 with the file named ca-bundle-client.crt.
    CA bundle

  7. Launch Microsoft Management Console (MMC).

    Launch MMC (you can locate this program by typing “mmc” in your Windows search bar).

    Open MMC

  8. Add Certificates snap-in.

    Select File > Add/Remove Snap-in… from the menu, then select the Certificates snap-in and click the Add button.

    Add certificates snap-in

  9. Select Computer account.

    Select the Computer account, then click the Next button.

    Select computer account

  10. Select Local computer.

    Select Local computer, then click the Finish button. Click OK to dismiss the Add or Remove Snap-ins window.
    Select local computer

  11. Open certificates.

    Double-click Certificates (Local Computer).

    Certificates (Local Computer)

  12. Open Personal folder.

    Double-click the Personal folder to open it.
    Personal folder

  13. Open Certificates.

    Double-click the Certificates folder to open it.

    Certificates folder

  14. Locate your certificate.

    Locate your website’s certificate in the list. If there are multiple certificates with the same domain name, double-click them and check the validity dates for the most recently issued one.

    Locate certificate

  15. Begin certificate export.

    Right-click the certificate and select All Tasks > Export.

    All Tasks > Export

  16. Click Next.

    The Certificate Export Wizard will open. Click the Next button.

    Certificate Export Wizard

  17. Export private key.

    Select Yes, export the private key, then click the Next button.

    Yes, export the private key

  18. Select PFX options.

    Check Include all certificates in the certification path if possible and Export all extended properties. You can also check Enable certificate privacy if you want the certificates in your PFX file to be encrypted. (The private key will be encrypted in either case.) When you are finished setting the options, click the Next button.

    Set PFX options

  19. Create a PFX password.

    Check the Password button, create and confirm a password for your PFX file, then click the Next button.

    Create PFX password

  20. Create a filename.

    Create a filename ending with .pfx for your PFX file, then click the Next button.

    Create PFX filename

  21. Finish up.

    Click the Finish button, then OK to close the pop-up message that the export was successful. You can also close MMC at this point.
    Click Finish button

  22. Done!

    You should now have a PFX file with a complete chain of trust and private key for installation on Azure Web Apps (or any other hosting service requiring a PFX file for certificate installation).
    PFX file

Thank you for choosing SSL.com! If you have any questions, please contact us by email at Support@SSL.com, call 1-877-SSL-SECURE, or just click the chat link at the bottom right of this page. You can also find answers to many common support questions in our knowledgebase.

Stay Informed and Secure

SSL.com is a global leader in cybersecurity, PKI and digital certificates. Sign up to receive the latest industry news, tips, and product announcements from SSL.com.

We’d love your feedback

Take our survey and let us know your thoughts on your recent purchase.