Requesting SSL and Generation of PFX file in OpenSSL Simple Steps

Requesting SSL License and Generation of PFX file in OpenSSL in a few Simple Steps
I had some real issues when doing this the first time, mainly where I kept importing the crt file I received and it would disappear from IIS 7!
We will try and cover as many bases as possible...

Create a Certificate Request

Some providers can generate this for you, but you can also to this yourself.
I have done this with 123-Reg, but not any other providers yet. Other providers screen shots would be welcome!

In the example below, I have created a wildcard SSL for Claytabase. If you are not creating a wildcard then replace the * with www (or similar) and also used the folder My Documents.



Getting a Certificate

You will at some point receive an Email from the vendor, this is where it may get a bit confusing.

I only have an account with 123-reg, if you could send some details of what is provided by other companies please do!

123 - Reg


Vendor certificate text...



Your certificate text...


You should have two certificates, when I did them through 123-reg, the files need to be copied out of the email and into two new text files. If using notepad make sure you use UTF-8 encoding.

Save them in the folder you created for the key.

You now need to open both with Crypto Shell Extensions, double clicking them should open it.

Use the tab Details, and then copy to file
The type is Base-64 encoded X.509 (.cer)

Save one as *.{domainname}.{domain}.cer

And the other as rootca.cer

Spare for other providers
Spare for other providers

Get Open SSL

Install OpenSSL, you can get it from OpenSSL

Install this to its default location.

  • {subdomain}.{domainname}.{domain}.cer
  • rootca.cer
  • {subdomain}.{domainname}.{domain}.key
Open cmd.exe

You will need to change your directory to the bin folder
cd\ c:\openssl-win32\bin

I ran into a problem with the default location, to change this run the following, thanks to Oneiroi. It will do no harm if you run this anyway!

set openssl_config=C:\openssl-win32\bin\openssl.cfg
I was also struggling to find the right commands in a simple example, thanks to Elgwhoppo for this.

With a Key

openssl pkcs12 –export –out {subdomain}.{domainname}.{domain}.pfx –inkey {subdomain}.{domainname}.{domain}.key –in {subdomain}.{domainname}.{domain}.cer –certfile rootca.cer

You will then be prompted for some passwords, these are as follows;

  • Pass Phrase, this is the password you created in the beginning
  • Enter Export Password, this will be a password to import the .pfx file
  • Verifying – Enter Export Password, confirm your new password

You will now have a new .pfx file in the bin directory.

If you come across any situations that are different then please let me know!
Ousia Logo