How to Generate a PFX File for Azure App Service or Key Vault

If you're deploying a web app on Azure App Service or managing certificates in Azure Key Vault, you’ll likely need a .pfx file—a secure container for your SSL certificate, private key, and optional certificate chain. In this guide, we’ll walk through: ✔ Verifying your certificate and private key (critical for avoiding mismatches) ✔ Creating a .pfx file using OpenSSL (with or without a chain) ✔ Uploading to Azure App Service & Key Vault (step-by-step) ✔ Troubleshooting common issues (like password-protected keys or chain errors) Let’s get started. Prerequisites Before generating your .pfx, ensure you have: ✅ Certificate file (.crt or .pem) – Contains -----BEGIN CERTIFICATE----- ✅ Private key (.key or .txt) – Contains -----BEGIN PRIVATE KEY----- or -----BEGIN RSA PRIVATE KEY----- ✅ Optional chain file (.crt or .pem) – Contains intermediate/root certificates ✅ OpenSSL installed (Linux/macOS/WSL or Windows via Git Bash) ✅ Azure access (to upload to App Service or Key Vault) Step 1: Verify Your Files 1. Check the Private Key Run: openssl rsa -in private.key -check -noout Expected output: RSA key ok If you see Enter pass phrase, your key is password-protected—you’ll need it later. 2. Check the Certificate openssl x509 -in certificate.crt -text -noout Verify: ✔ Common Name (CN) or Subject Alternative Name (SAN) matches your domain ✔ Expiration date is valid 3. Check the Certificate Chain (Optional) openssl x509 -in bundle.crt -text -noout Should show multiple certificates (intermediate + root CA). 4. Verify Private Key Matches Certificate openssl x509 -noout -modulus -in certificate.crt | openssl md5 openssl rsa -noout -modulus -in private.key | openssl md5 Both hashes must match. If they don’t: ❌ Your private key doesn’t belong to this certificate ❌ Regenerate a CSR and request a new certificate Step 2: Create the .pfx File Without Certificate Chain openssl pkcs12 -export -in certificate.crt -inkey private.key -out certificate.pfx -passout pass: -passout pass: → No password (Azure prefers this) With Certificate Chain (Recommended) openssl pkcs12 -export -in certificate.crt -inkey private.key -out certificate.pfx -passout pass: -certfile bundle.crt Includes intermediates for full SSL trust If Private Key is Password-Protected openssl pkcs12 -export -in certificate.crt -inkey private.key -passin pass:yourpassword -out certificate.pfx -passout pass: Verify the .pfx File openssl pkcs12 -in certificate.pfx -noout -info Should list: ✔ Certificate ✔ Private key ✔ Chain (if included) Step 3: Upload to Azure App Service Go to App Service → TLS/SSL settings → Private Key Certificates → Upload Certificate Select certificate.pfx Leave password blank (if using -passout pass:) Add SSL Binding: Go to TLS/SSL bindings → Add TLS/SSL Binding Select your domain Choose the uploaded certificate Select SNI SSL (or IP SSL if needed) Save Step 4: Upload to Azure Key Vault (Optional) Import Certificate az keyvault certificate import --vault-name "MyKeyVault" -n "MyCertificate" -f certificate.pfx No password needed (if -passout pass: was used) Grant App Service Access Enable Managed Identity: App Service → Identity → System assigned → On Grant Key Vault Permissions: Key Vault → Access policies → Add Select Get for Secrets and Certificates Assign to your App Service identity Reference in App Service App Service → TLS/SSL settings → Private Key Certificates → Import Key Vault Certificate Select your Key Vault and certificate Step 5: Verify SSL ✔ Visit https://yourdomain.com ✔ Use SSL Shopper to confirm: Certificate validity Chain completeness Troubleshooting Issue Solution Key mismatch Regenerate CSR and request a new certificate Password-protected key Use -passin pass:yourpassword in OpenSSL Browser SSL warnings Ensure chain file is included in .pfx App Service errors Confirm CN/SAN matches domain Final Thoughts Generating a .pfx file for Azure is straightforward with OpenSSL. Key takeaways:

Apr 22, 2025 - 21:47

How to Generate a PFX File for Azure App Service or Key Vault

If you're deploying a web app on Azure App Service or managing certificates in Azure Key Vault, you’ll likely need a .pfx file—a secure container for your SSL certificate, private key, and optional certificate chain.

In this guide, we’ll walk through:

✔ Verifying your certificate and private key (critical for avoiding mismatches)

✔ Creating a .pfx file using OpenSSL (with or without a chain)

✔ Uploading to Azure App Service & Key Vault (step-by-step)

✔ Troubleshooting common issues (like password-protected keys or chain errors)

Let’s get started.

Prerequisites

Before generating your .pfx, ensure you have:

✅ Certificate file (.crt or .pem) – Contains -----BEGIN CERTIFICATE-----

✅ Private key (.key or .txt) – Contains -----BEGIN PRIVATE KEY----- or -----BEGIN RSA PRIVATE KEY-----

✅ Optional chain file (.crt or .pem) – Contains intermediate/root certificates

✅ OpenSSL installed (Linux/macOS/WSL or Windows via Git Bash)

✅ Azure access (to upload to App Service or Key Vault)

Step 1: Verify Your Files

1. Check the Private Key

Run:

openssl rsa -in private.key -check -noout

Expected output:

RSA key ok

If you see Enter pass phrase, your key is password-protected—you’ll need it later.

2. Check the Certificate

openssl x509 -in certificate.crt -text -noout

Verify:

✔ Common Name (CN) or Subject Alternative Name (SAN) matches your domain

✔ Expiration date is valid

3. Check the Certificate Chain (Optional)

openssl x509 -in bundle.crt -text -noout

Should show multiple certificates (intermediate + root CA).

4. Verify Private Key Matches Certificate

openssl x509 -noout -modulus -in certificate.crt | openssl md5
openssl rsa -noout -modulus -in private.key | openssl md5

Both hashes must match. If they don’t:

❌ Your private key doesn’t belong to this certificate

❌ Regenerate a CSR and request a new certificate

Step 2: Create the .pfx File

Without Certificate Chain

openssl pkcs12 -export -in certificate.crt -inkey private.key -out certificate.pfx -passout pass:

-passout pass: → No password (Azure prefers this)

With Certificate Chain (Recommended)

openssl pkcs12 -export -in certificate.crt -inkey private.key -out certificate.pfx -passout pass: -certfile bundle.crt

Includes intermediates for full SSL trust

If Private Key is Password-Protected

openssl pkcs12 -export -in certificate.crt -inkey private.key -passin pass:yourpassword -out certificate.pfx -passout pass:

Verify the .pfx File

openssl pkcs12 -in certificate.pfx -noout -info

Should list:

✔ Certificate

✔ Private key

✔ Chain (if included)

Step 3: Upload to Azure App Service

Go to App Service → TLS/SSL settings → Private Key Certificates → Upload Certificate
Select certificate.pfx
Leave password blank (if using -passout pass:)
Add SSL Binding:
- Go to TLS/SSL bindings → Add TLS/SSL Binding
- Select your domain
- Choose the uploaded certificate
- Select SNI SSL (or IP SSL if needed)
- Save

Step 4: Upload to Azure Key Vault (Optional)

Import Certificate

az keyvault certificate import --vault-name "MyKeyVault" -n "MyCertificate" -f certificate.pfx

No password needed (if -passout pass: was used)

Grant App Service Access

Enable Managed Identity:
- App Service → Identity → System assigned → On
Grant Key Vault Permissions:
- Key Vault → Access policies → Add
- Select Get for Secrets and Certificates
- Assign to your App Service identity

Reference in App Service

App Service → TLS/SSL settings → Private Key Certificates → Import Key Vault Certificate
Select your Key Vault and certificate

Step 5: Verify SSL

✔ Visit https://yourdomain.com

✔ Use SSL Shopper to confirm:

Certificate validity
Chain completeness

Troubleshooting

Issue	Solution
Key mismatch	Regenerate CSR and request a new certificate
Password-protected key	Use `-passin pass:yourpassword` in OpenSSL
Browser SSL warnings	Ensure chain file is included in `.pfx`
App Service errors	Confirm CN/SAN matches domain

Final Thoughts

Generating a .pfx file for Azure is straightforward with OpenSSL. Key takeaways: