Why do we need to install the .pfx certificate (as opposed to .cer) in Windows before you can make calls using the client certificate?

Question

I've written a small console application to make a HTTP call to a server using a client certificate. The code I've written reads the .cer file from the specificed location to make the request:

  X509Certificate Cert = X509Certificate.CreateFromCertFile("JohnDoe.cer");            
  HttpWebRequest Request = (HttpWebRequest)
  WebRequest.Create("https://10.135.12.166:4434");
  Request.ClientCertificates.Add(Cert);
  Request.UserAgent = "Client Cert Sample";
  Request.Method = "GET";
  HttpWebResponse Response = (HttpWebResponse) Request.GetResponse();

However, this code doesn't work unless you have the certificate installed in the personal folder of the current user inside the certificate manager. More specifically, it only works when I have the .pfx certificate installed, not the .cer

As per my understanding, the client cert is only used for authentication and not encryption, right? So,

1. Why do we need a certificate to be installed? Why can't my program just pick the .cer file up from the location and send it with the request? And,

2. Again, more specifically, why do we need the .pfx certificate installed? Why doesn't .cer do the job?

Answer 1

The .cer file contains the certificate. The certificate contains the public key. Identification with certificates involves a cryptographic operation to show, that you are in the possession of the secret private key matching the public key in the (public) certificate. This private key is contained in the .pfx file.