SecurePFX
Distribute PFX certificates without ever exposing the password.
Self-contained Windows installers, AES-256 encrypted, unlocked by a one-time password delivered out of band. No cloud dependency, no portal logins, no leaked secrets in email threads.
Sending a PFX certificate today is messy, manual, and quietly insecure.
Every organization that distributes certificates outside its own directory hits the same wall. The certificate is encrypted, sure, but the password lives in an email, a chat message, or a sticky note.
-
i.
Passwords ride in plain channels
The PFX file is encrypted. The password gets emailed in plaintext, defeating the encryption the moment both messages land in the same inbox.
-
ii.
No audit trail beyond your tenant
Once the certificate leaves your environment, you have no idea who opened it, when, or whether it was reused.
-
iii.
External parties cannot use MDM
Intune SCEP and similar tools work great inside your tenant. They do not help when the recipient is a vendor, a partner, or a field device outside your AD.
-
iv.
The recipient experience is hostile
Find the certmgr snap-in, find the right store, double-click, type a password they cannot read because it was screenshotted. It fails more than it succeeds.
We were sending PFX files and passwords in two emails, thirty minutes apart, and calling it secure. SecurePFX was built because that practice had to stop.
Solution CifersID, internal practice note
One installer, one OTP, zero exposed passwords.
SecurePFX wraps your PFX certificate inside a code-signed Windows installer. The recipient runs it, enters a one-time password delivered through a separate channel, and the certificate lands in the right store automatically.
Encrypted by construction
The PFX payload is AES-256-GCM encrypted at build time, with the actual certificate password never written to disk in any recoverable form.
OTP unlocked offline
A short, human-readable OTP unlocks the installer. Validation happens locally, with no callback to any server. Works on isolated and air-gapped endpoints.
Auto-imported to the right store
The certificate lands in the LocalMachine or CurrentUser store as configured at build time. The recipient never sees the password, never touches certmgr.
Four steps from build to imported certificate.
Wrap the certificate
The admin selects the PFX, sets the target store, brands the installer, and generates a build report. The OTP is created at this moment.
Send through any channel
The installer travels by email, file share, USB, or download portal. It does not matter, the payload stays encrypted at rest.
Out of band, separate path
The OTP goes through a different channel, by SMS, a phone call, or an internal ticket. Splitting the secret splits the risk.
Recipient runs and unlocks
One double-click, one OTP entry, certificate imported into the configured store. Audit log written locally for chain-of-custody reporting.
Engineered for real production deployments.
SecurePFX is built on the same hands-on PKI and identity experience that drives our consulting practice. Every feature solves a problem we hit in the field.
Offline OTP validation
No callback to any server. The installer validates the OTP locally, ideal for restricted, isolated, or air-gapped environments.
No exposed PFX password
The original certificate password never appears in the installer payload, in logs, or on disk. Only the master secret can derive it.
Local audit logging
Each installation writes a tamper-evident audit entry with timestamp, hostname, user context, and OTP fingerprint.
Branded splash screen
Your logo, your colors, your tone. Recipients see your brand, not a generic installer. Trust signal at the point of execution.
Build report PDF
Every build generates a signed PDF report covering certificate metadata, encryption parameters, OTP fingerprint, and target store.
Authenticode signed
Installers are signed with your code-signing certificate. Windows SmartScreen recognizes the publisher, no scary warnings.
Configurable target store
LocalMachine, CurrentUser, custom store name, custom friendly name. All set at build time, no recipient configuration required.
Master secret on issuer side
The cryptographic root lives only on your build host. Compromise of an installer does not compromise the program.
Silent install mode
Command-line OTP entry for automated deployments through SCCM, Ansible, or manual scripting on remote endpoints.
Two paths, one certificate, no shared secrets.
The cryptographic design separates the encrypted payload from the secret that unlocks it. The installer and the OTP travel on different channels. Compromising either alone yields nothing.
Channel A, installer
Encrypted PFX payload, AES-256-GCM, derived from master secret and OTP.
Channel B, OTP
Out-of-band, short and human-readable, validated offline at install time.
Recovery
Both channels must be compromised to recover the certificate. Splitting the secret splits the risk surface.
Built for the certificates that leave your tenant.
Vendor and supplier onboarding
Issue authentication or mTLS certificates to third-party vendors connecting into your APIs, VPN, or B2B platforms. Without a portal, without a shared password.
Partner federation handoffs
Distribute SAML signing certificates or token-signing keys to federation partners. They run an installer, you log who got what and when.
MDM-less and BYOD environments
For endpoints not enrolled in Intune or Jamf, SecurePFX is the bridge. The user runs the installer, the certificate lands in the right store, done.
Field device and OT provisioning
Industrial control systems, kiosks, and isolated networks where the certificate cannot phone home. Offline validation, no infrastructure required.
Code-signing certificate handoff
Hand a code-signing certificate to a contractor or build server with traceable chain of custody. The audit log proves who installed it.
Internal certificate refresh at scale
When ADCS rotation hits non-domain-joined endpoints, push a SecurePFX installer through your existing channels. No re-architecting required.
Push to a fleet, not just one machine at a time.
SecurePFX ships with a separate deployment companion for environments that need to roll out a certificate across many domain-joined Windows machines at once. Import a hostname list, click deploy, watch the results land in a live grid.
Bulk import, one-click deploy
Drop in a text file of machine names. The companion queues the deployment, dispatches in parallel across the network, and surfaces per-host status as it happens.
Live grid and retry on failure
Each row reports success, failure, or reason. Successful machines clear from the queue. Failed ones stay for a one-click retry within the same session.
Session report and chain of custody
HTML report at the end of every session covering targets, outcomes, timestamps and operator identity. Pairs with the SecurePFX build report for end-to-end traceability.
Existing tools solve different problems.
SCEP, MDM, and CMS platforms are excellent at what they do. They were not designed for ad-hoc certificate handoffs to parties outside your directory.
| Capability | SecurePFXCifersID | Intune SCEPMicrosoft | DigiCertPortal | vSEC:CMSVersasec | SecureAuthIdP |
|---|---|---|---|---|---|
| Recipients outside your AD or tenant | Yes | No | Portal only | No | Federation only |
| No cloud or portal dependency | Yes | Cloud required | Portal required | Server required | Cloud required |
| Offline air-gap deployment | Yes | No | No | Limited | No |
| No exposed PFX password in transit | Yes | Yes | Portal pickup | Yes | Yes |
| Per-install audit trail | Yes | Yes | Yes | Yes | Yes |
| Self-contained installer, double-click | Yes | No | No | Smart card flow | No |
| Authenticode signed installer | Yes | N/A | N/A | Yes | N/A |
| Per-build PDF report | Yes | No | Limited | Limited | No |
| Setup and licensing footprint | One host | Heavy | Heavy | Heavy | Heavy |
Comparison based on public product capabilities at time of writing. SecurePFX is designed to complement, not replace, full lifecycle CMS or SCEP platforms.
Request a walkthrough, tailored to your environment.
We will walk you through a build, a distribution, and an install on a sample certificate. Thirty minutes, no slides, no scripts. Follow-up materials and pricing are shared after the call if there is fit.