Create pfx file for Alipay signing

Unofficial Content

When integrating Alipay payments into a mobile application, we need to sign the payment information using the keys created in the Alipay Developer Site. The private and public keys obtained there are in plain text format, and to be able to use them with the GeneXus' Cryptography data types, we need to create a PFX file (Personal Information Exchange) from the private key.

This process needs to be executed only once for each application, and consists of a series of steps:

Step 1 - Convert the private key to RSA format

The first step is to convert the plain text private key into RSA format, which only adds a header, a footer and line breaks. A procedure named ConvertPrivateKey is included within the Alipay API, with the code needed to perform this action. The output of the first step is a *.pem file

Step 2 - Create the RSA key

Here we start to use OpenSSL commands. Using the file obtained in step 1 the following command needs to be executed:

openssl rsa -in Alipay_RSA_Converted.pem -out Alipay_RSA_Key.pem

The output is another *.pem file.

Step 3 - Create the X509 certificate

The following command needs to be executed:

openssl req –config openssl\bin\openssl.cfg -new -x509 -key Alipay_RSA_Key.pem -pubkey -out Alipay_X509.cer -days 365

In this step, some information needed for the certificate will be asked from the user (Name, Company, Email, Country, etc.). The output is a *.cer file.

Step 4 - Create the PFX file

The following command needs to be executed:

openssl pkcs12 -export -in Alipay_X509.cer -inkey Alipay_RSA_Key.pem -out Alipay_PKCS12.pfx

The user will be asked for a password for the PFX file. The PFX file generated and the password will be used later when developing the integration in GeneXus.

PFX Generation utility

A utility is available to simplify the PFX file generation process. It can be downloaded from here.

The entire process can be executed with only one command:

AlipayGeneratePFX –f|-k keylocation



  Indicates that the path to a file containing the private key will be used  


  Indicates that the private key value will be used


  if -f is specified, this is the key file path;
  if -k is specified, this is the key value