Should I delete the .pfx or .cer files after importing the SSL cert?

security ssl-certificate iis

When provided, I have to import into IIS on Windows Server (2008 R2) using either a .pfx or .cer to get SSL certs ready for use.

My question is, is should I delete these files after I have successfully imported the certificate into the certificate store? I thought I was told this is important as you don't want anyone to get those files and be able to use the cert or import maliciously. I understand I can always have the power to export the cert if I need to transport it, but wondered if I should be deleting those files off the server once imported?


An SSL certificate has two parts; a public key and a private key.

.CER files contain nothing secret. It's the public key that the web server sends to every client connecting to the SSL enabled site. There's no reason to delete it from a security standpoint. In fact, you probably want to have it backed up in case the server dies and need to re-use it on whatever is replacing it.

However, the .CER file is not useful without its matching private key. Windows generates a private key automatically when you create a certificate request. Your .PFX file definitely contains a copy of the .CER. But it may or may not contain a copy of the private key. It entirely depends on who generated it and how.

If the PFX file does contain the private key, then yes. Lock that bad boy away off site and delete the copy from the server. Someone with that file could potentially use it to impersonate your site.

If the PFX file does not contain the private key, it's no more useful than the raw CER file. And if possible, you probably want to export a new PFX file that does contain the private key for DR/backup purposes (assuming the certificate allows private key export).


One idea is to back them up to a USB thumb drive and put them in a safe.

It is true that if the certificate includes the private key, then you do not want to let it fall into the wrong hands. Once you import the certificate into your store, you don't need to keep the PFX or CER file hanging around. But it's a good idea to have a backup of the certificate somewhere, in case you need to rebuild the server or website.

Related

How can the Private Bytes of a process be significantly less than its effect on the system commit charge?
How can I filter MongoDB Replica Set Heartbeats with tcpdump?
How does logrotate interact with hard linked files?
Combined log format POST size
Powershell script to delete oldest files (not relative to current date)
SMTP Server 550 Access denied - Invalid HELO name
Migrating Server 2003 -> Server 2008 r2. Global Catalog location. DNS problems
Unable to load configuration from uwsgi
Windows server 2012 scheduled tasks run using default profile ( when ran session less ) even if specific account is specified
Sending unauthenticated mail through MS Exchange with powershell (Windows Server 2008 R2)
Validity of a FQDN with a hostname consisting entirely of numbers
Dropped packets, on recieve only, Server 2008 only, and network speed is 100mb/s