Certificate Chain (V2) - How to create pfx file


My dear friends,
i am still struggling to create a valid V2 PFX certificate file. I am stuck on the last step after downloading the certificate chain (pem format).

I am writting a client to support V1 and V2, using C# and BouncyCastle, the last one to create more easily a PFX certificate file.

For example i make the following request
main domain: test1.net
SAN: www.test1.net
All steps complete successfully, both domain names are valid using the http-01 method.
The validation on V1 and V2 completes successfully and i proceed to the next step of creating a SAN certificate for the above domains.

On V1 the things are little bit more easy, and i create the PFX file using BouncyCastle.

On V2 when downloading the certificate chain it has the following format:
[End-entity certificate contents]
[Issuer certificate contents]

So, my problem is how can i use this chain to create a valid pfx certificate file for V2 Protocol?
Is there any guy who can give me a code example based on BouncyCastle on how to be able to create a valid PFX file? or maybe just give me a sample code on C# to understand the mechanism?
Sorry, but i cannot understand these pem files and chain files, its foggy in my mind.

Thanks you very much in advance.


Hi @fotis,

I’m afraid I have no knowledge of PFX or C# so my answers might not get you all the way to your goal. Hopefully some other folks with more domain-specific knowledge can jump in for the rest.

If you already have the code to convert a single end-entity PEM encoded certificate to PFX you should be able to do the same with the V2 certificate chain by splitting on the PEM “-----BEGIN CERTIFICATE-----” delimiter and treating the first certificate as the stand-alone end-entity certificate like you did in V1 and the second certificate as the intermediate certificate you would have fetched via the up relation in V1.


based on V1 as a guide i did what you just told me, but when i am NOT in staging mode, the certificate that i produce on V2 is not working well, when i install the V2 cert, on the browser (chrome) i get the ERR_SSL_PROTOCOL_ERROR.
I am sure that it is something on creating the certificate but dont know what exactly is the problem.
I am really so close to complete it. grrrr :slight_smile:
Thank you for your help, at least i understand that splitting it is the proper way.


Aha! I remember your other thread about this.

Stick with it! I’m sure you’ll get it :slight_smile:

Is it possible you could leave the broken V2 PFX bundle installed on a server and share the URL in this thread? That would let folks test to see what the problem appears to be. What webserver are you using? Is there anything telling in the webserver logs? If you could share code snippits perhaps someone else that has C# ACME experience could spot the problem.


if i have issued V1 and V2 certificate for the same domain names (SAN) i will have any problem?
because i will do that to be able to switch between V1 and V2 in order to keep the site working with V1 and V2 for testing the certificate creation.


You’ll have to pay attention to the duplicate certificate rate limit: https://letsencrypt.org/docs/rate-limits/

We also have a Duplicate Certificate limit of 5 certificates per week.


i used the https://crt.sh for the domain and i found that it says:

CT Precertificate Poison: critical

what does this mean? how can i fix it?


You don’t need to fix this. It’s normal. Let’s Encrypt submits poisoned pre-certificates to most CT logs and only submits the final certificate in its normal form to some logs. The crt.sh backlog might mean it has only seen the precert.


There’s nothing actually different about the certs generated by V1 and V2. The chain file you download at the end of a V2 conversation is just multiple PEM certificates concatenated together. The first one is the signed cert. The others are the chain of CAs that signed it. With Let’s Encrypt’s CA, there is only one chain cert. But there could hypothetically be more than one.

So basically, you have to split the cert from its chain and then add the cert and its private key to a Pkcs12Store object in BouncyCastle. That involves reading in the private key as an AsymmetricCipherKeyPair object unless you’ve got it already from when you generated it. It will also involve reading in the cert PEM file as an X509Certificate.

You can take a look at the code in Export-PACertFiles.ps1 from my Posh-ACME module. Follow the logic through the various functions and you should have a pretty good idea of how to do what you’re trying to do.


many many thanks, this is what i needed. you are really very helpfull.
I think my mistake is that i recreate the CSR for the domains i already validated with a new generated Key.
I have to keep the private key to use it when downloading the file.
I will check and get based on your code.
thank you very much.


your code helped me understand my small stupid mistake :slight_smile:
I was re-creating the CSR with new key, now I keep the KeyPEM from the CSR i produce and i use the same key when creating the pfx certificate file.
OK, finally completed V2 protocol !!!
You also use BouncyCastle libraries, i believe this library is the best for certificates.
Thanks a lot.


@fotis Congratulations on getting your code working! :tada: That’s a satisfying feeling :slight_smile:

Thanks for jumping in with example code @rmbolger! Much appreciated!


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.