PFX file

Create PFX/PKCS12 archive file

Plugin type Store
Download Built-in
Compatibility All platforms

Description

Exports a PKCS12 archive (on Windows often called a PFX archive) including the certificate, its private key and the chain, and places it in a folder of your choice. By default the file name will be the common name of the certificate (i.e. the primary host name), but this may be overruled.

Command line

--store pfxfile Activates the plugin
‑‑pfxfilepath Path to write the .pfx file to.
‑‑pfxfilename Prefix to use for the .pfx file, defaults to the common name.
‑‑pfxpassword Password to set for .pfx file exported to the folder.

You may pass the secret in plain text, but can also use a reference to the secret vault like "vault://json/mysecret".

Examples

Typical --store pfxfile [‑‑pfxpassword *****] [‑‑pfxfilepath C:\Certificates\] [‑‑pfxfilename mycert]

Settings

Store.PfxFile.DefaultPath When using the PFxFile plugin this path is used by default, saving you the effort of providing it manually. Filling this out makes the ‑‑pfxfilepath parameter unnecessary in most cases. Renewals created with the default path will automatically change to any future default value, meaning this is also a good practice for maintainability.

Paths should be JSON-encoded, e.g. "C:\\" (note the double backslash).

Type: string
Default: undefined
Store.PfxFile.DefaultPassword When using the PFxFile plugin this password is used by default for the .pfx files, saving you the effort from providing it manually. Filling this out makes the ‑‑pfxpassword parameter unnecessary in most cases. Renewals created with the default password will automatically change to any future default value, meaning this is also a good practice for maintainability.

You don't have store a literal password here, but may also place a reference to the secret vault like "vault://json/mysecret".

Type: string
Default: undefined
Store.PfxFile.DefaultProtectionMode Determines how the .pfx file will be encrypted.

A .pfx file (also known as a PKCS12 archive) may contain the sensitive private key. As a security measure, this can be password protected, but there is more than one algorithm to do so. RC2-40 is an older method, compatible with all versions of Windows, but generally considered unsafe and for that reason unsupported by OpenSSL 3.x. AES-256 is the current best practice, but it only works on Windows 10+ and Windows Server 2019+. simple-acme provides the following settings offer the best combination between compatibility and security:

ValueMeaning
"default"Use RC2-40 on Windows 8 and Windows Server 2016 or below, use AES-256 for Linux and more recent versions of Windows.
"aes256"Always use AES-256.
"legacy"Always use RC2-40.
EmtpyEquivalent to "legacy" for backwards compatibility.
Type: string
Default: "default"

JSON

ID 2a2c576f-7637-4ade-b8db-e8613b0bb33e

Settings

Store.PfxFile.DefaultPath When using the PFxFile plugin this path is used by default, saving you the effort of providing it manually. Filling this out makes the ‑‑pfxfilepath parameter unnecessary in most cases. Renewals created with the default path will automatically change to any future default value, meaning this is also a good practice for maintainability.

Paths should be JSON-encoded, e.g. "C:\\" (note the double backslash).

Type: string
Default: undefined
Store.PfxFile.DefaultPassword When using the PFxFile plugin this password is used by default for the .pfx files, saving you the effort from providing it manually. Filling this out makes the ‑‑pfxpassword parameter unnecessary in most cases. Renewals created with the default password will automatically change to any future default value, meaning this is also a good practice for maintainability.

You don't have store a literal password here, but may also place a reference to the secret vault like "vault://json/mysecret".

Type: string
Default: undefined
Store.PfxFile.DefaultProtectionMode Determines how the .pfx file will be encrypted.

A .pfx file (also known as a PKCS12 archive) may contain the sensitive private key. As a security measure, this can be password protected, but there is more than one algorithm to do so. RC2-40 is an older method, compatible with all versions of Windows, but generally considered unsafe and for that reason unsupported by OpenSSL 3.x. AES-256 is the current best practice, but it only works on Windows 10+ and Windows Server 2019+. simple-acme provides the following settings offer the best combination between compatibility and security:

ValueMeaning
"default"Use RC2-40 on Windows 8 and Windows Server 2016 or below, use AES-256 for Linux and more recent versions of Windows.
"aes256"Always use AES-256.
"legacy"Always use RC2-40.
EmtpyEquivalent to "legacy" for backwards compatibility.
Type: string
Default: "default"

Looking for win-acme?

simple-acme is a backwards compatible, drop-in replacement built by the same person. Project history.