6

When provided, I have to import into IIS on Windows Server (2008 R2) using either a .pfx or .cer to get SSL certs ready for use.

My question is, is should I delete these files after I have successfully imported the certificate into the certificate store? I thought I was told this is important as you don't want anyone to get those files and be able to use the cert or import maliciously. I understand I can always have the power to export the cert if I need to transport it, but wondered if I should be deleting those files off the server once imported?

atconway
  • 162
  • 1
  • 9

2 Answers2

6

An SSL certificate has two parts; a public key and a private key.

.CER files contain nothing secret. It's the public key that the web server sends to every client connecting to the SSL enabled site. There's no reason to delete it from a security standpoint. In fact, you probably want to have it backed up in case the server dies and need to re-use it on whatever is replacing it.

However, the .CER file is not useful without its matching private key. Windows generates a private key automatically when you create a certificate request. Your .PFX file definitely contains a copy of the .CER. But it may or may not contain a copy of the private key. It entirely depends on who generated it and how.

If the PFX file does contain the private key, then yes. Lock that bad boy away off site and delete the copy from the server. Someone with that file could potentially use it to impersonate your site.

If the PFX file does not contain the private key, it's no more useful than the raw CER file. And if possible, you probably want to export a new PFX file that does contain the private key for DR/backup purposes (assuming the certificate allows private key export).

Ryan Bolger
  • 16,755
  • 4
  • 42
  • 64
  • *"However, the .CER file is not useful without its matching private key. Windows generates a private key automatically when you create a certificate request."* Do you know where it places this generated .pfx from the .cer when I create the certificate request? – atconway May 13 '13 at 19:46
  • 2
    It's not actually generating a file with the private key when you create a request. It stores the raw private key data in a protected section of the registry. I'm not exactly sure where, but it's not intended to be accessed directly. – Ryan Bolger May 13 '13 at 19:49
  • That makes sense, I just wanted to know if it was physically creating a .pkx file once importing the .cer. – atconway May 13 '13 at 19:51
4

One idea is to back them up to a USB thumb drive and put them in a safe.

It is true that if the certificate includes the private key, then you do not want to let it fall into the wrong hands. Once you import the certificate into your store, you don't need to keep the PFX or CER file hanging around. But it's a good idea to have a backup of the certificate somewhere, in case you need to rebuild the server or website.

Ryan Ries
  • 55,481
  • 10
  • 142
  • 199