Create Certificates in PEM format

  • Blog
  • Create Certificates in PEM format

Knowledge Base

Create Certificates in PEM format

Table of Contents

Overview #

RELIANOID is able to manage HTTPS connections (HTTP Profile), so the system administrator must to create their own certificates (self-signed certificates) or to acquire Signed Certificates by a Certificate Authority, in both cases the certificate must to be built in PEM format.

The Secure Certificate must be created without password and the keys and CSR must be generated in the server to be secured.

Positives SSL are ready to go in PEM format but Rapid SSL needs to be converted as each file contains the cert, the intermediate CA and the root CA separated.

Requirements #

The package openssl should be installed in order to generate the keys in the server, in our case will be the RELIANOID instance which should be already installed.

First, generate the key without passphrase.

root@noid-ee-01:~# openssl genrsa -out host_domain_com.key 2048

Then, generate the Certificate Signed Request (.csr) using the generated key (.key) as input.

root@noid-ee-01:~# openssl req -new -key host_domain_com.key -out host_domain_com.csr

Once the certificate and intermediate CA files are delivered, ensure to get the issuer root certificate.
All separated files need to be in PEM format: Server Certificate, Intermediate Certificate and Root CA Certificate. If it isn’t, convert the file with the following command:

root@noid-ee-01:~# openssl x509 -in certFileName.csr -outform PEM -out convertedCertFileName.pem

Finally, we’ve the Private Key, the Certificate issued, the Intermediate Certificate and the Root CA Certificate. All these file contents should be combined to create the PEM file in UNIX format.

Generate SSL certificate in PEM format #

To generate an SSL certificate in PEM format, you typically need a private key, a certificate, an intermediate CA certificate (if one exists), and a root CA certificate. Here’s how you can generate the PEM file:

Prepare the Components #

Private Key: Ensure you have the private key corresponding to the certificate.
Certificate: Obtain the certificate issued for your domain or server.
Intermediate CA Certificate: If your certificate is issued by an intermediate CA (not directly by the root CA), you’ll need the intermediate CA certificate.
Root CA Certificate: You may also need the root CA certificate, especially if it’s not already included in the trust store of the client applications or devices.

Concatenate the Components #

Open a text editor or use command-line tools to concatenate the private key, certificate, intermediate CA certificate (if applicable), and root CA certificate (if needed) into a single PEM file, as it it’s shown below.

-----BEGIN RSA PRIVATE KEY-----
Private Key (without passphrase)
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
Certificate (CN=www.mydomain.com)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
Intermediate (Intermediate CA, if exists)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
Root (ROOT CA, who signs the Certificate)
-----END CERTIFICATE-----

Refer to the example below to know how a correct PEM file will look like.

-----BEGIN RSA PRIVATE KEY-----
uiMTxBQnK9ApC5eq1mrBooECgYB4925pDrTWTbjU8bhb/7BXsjBiesBBVO43pDYL
nUVxhqt4DT+4Vp5S7D9FQ+HagbhVInQXKXtT7FNFhpIxpRy512ElSuWvrELiZOwe
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
wYDVR0fBDwwOjA4oDagNIYyaHR0cDovL3JhcGlkc3NsLWNybC5n
DYmhNE0IgXx6XRHiMAwGA1UdEwEB/wQCMAAwSQYIKwYBBQUHAQEEPTA7MDkGCCsG
gOYD8kmKOsxLRWeZo6Tn8
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
EgYDVR0TAQH/BAgwBgEB/wIBADA6BgNVHR8EMzAxMC+gLaArhilodHRwOi8vY3Js
JAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmdlb3RydXN0LmNvbTANBgkqhkiG9w0B
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDIDCCAomgAwIBAgIENd70zzANBgkqhkiG9w0BAQUFADBOMQswCQYDVQQGEwJV
7qj/WsjTVbJmcVfewCHrPSqnI0kBBIZCe/zuf6IWUrVnZ9NA2zsmWLIodz2uFHdh
1voqZiegDfqnc1zqcPGUIWVEX/r87yloqaKHee9570+sB3c4
-----END CERTIFICATE-----

It’s mandatory to convert the PEM entire file in UNIX format. There is available a certificate named zencert.pem or noidcert.pem for testing purposes in order to be used with HTTPS profile farms.

Ensure that the order of certificates is as follows:

1. Your Certificate
2. Intermediate CA Certificate (if applicable)
3. Root CA Certificate

Save Concatenated PEM File #

Save the concatenated PEM file with a .pem extension. This file will contain the private key and the entire certificate chain.

Use the PEM File #

You can now use the PEM file in your server configuration. Depending on your server software (e.g., Apache, Nginx, RELIANOID), you may need to specify the path to the PEM file in the SSL configuration. At RELIANOID, just upload the SSL certificate using the web GUI and assign as Enabled Certificate in any HTTPS farm.

Verify Configuration #

After configuring your server to use the PEM file, it’s essential to verify the SSL/TLS configuration to ensure that the certificate chain is presented correctly to clients during the SSL handshake. You can use various online SSL/TLS testing tools or command-line utilities like OpenSSL to check the configuration and ensure that the certificate chain is complete.

Generate a Self-signed SSL certificate in PEM format #

To create a PEM format self-signed SSL certificate from either the load balancer or server, execute the following steps:

1. Generate the key and certificate files with a 4096-bit RSA key for 1 year and no passphrase using the following command:

root@noid-ee-01:~# openssl req -nodes -new -x509 -newkey rsa:4096 -keyout server.key -out server.cert -days 365
Generating a RSA private key
.....................++++
...........................................................................................................................................................++++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:
Email Address []:

During the execution of this command, you will be prompted to enter information interactively. Please provide the required details.

2. Concatenate the key and certificate into a PEM file using the following command:

root@noid-ee-01:~# cat server.key server.cert >> server.pem

This command combines the key and certificate into a single PEM file.

3. Your self-signed SSL certificate in PEM format (server.pem) is now ready for use with your proxy, web services, or internet services.

How to See the contents of a SSL Certificate #

To view the contents of an SSL certificate, you can use various tools and commands. One common method is using OpenSSL, a versatile command-line tool that supports various cryptographic operations, including certificate inspection. Here’s how you can view the contents of an SSL certificate using OpenSSL:

Open a Terminal or Command Prompt #

Open a terminal or command prompt window on your system.

Run OpenSSL Command #

Use the following OpenSSL command to view the contents of the SSL certificate:

root@noid-ee-01:~# openssl x509 -in certificate.pem -text -noout

Replace certificate.pem with the path to your SSL certificate file.

If your certificate is in PEM format, this command will display detailed information about the certificate, including:

Issuer
Subject
Validity period (start and end dates)
Public key information
Certificate extensions
Signature algorithm
Fingerprints (SHA-1, SHA-256, etc.)

Inspect the Output #

Once you run the command, OpenSSL will output the textual representation of the certificate’s contents. Review the information displayed to verify the details of the certificate, such as the issuer, subject, validity dates, and other relevant metadata.

Additional Options #

If your certificate is in DER format instead of PEM, you can use the -inform der option to specify the input format:

root@noid-ee-01:~# openssl x509 -inform der -in certificate.pem -text -noout

You can also save the output to a file for further analysis or documentation by using the shell redirection (>):

root@noid-ee-01:~# openssl x509 -in certificate.pem -text -noout > certificate_details.txt

This command will save the certificate details to a file named certificate_details.txt.

By using the OpenSSL command-line tool, you can easily inspect the contents of an SSL certificate and verify its details, helping you ensure the security and validity of your SSL/TLS connections.

Verifying Intermediate and Root CA is present in a SSL certificate #

Verifying whether intermediate and root CA certificates are present in an SSL certificate involves examining the certificate chain. Here’s how you can do it:

Use OpenSSL or another tool to view the details of the SSL certificate. Run the following command:

root@noid-ee-01:~# openssl crl2pkcs7 -nocrl -certfile certificate.pem | openssl pkcs7 -print_certs -noout 
subject=CN = mydomain.com
issuer=C = US, O = "DigiCert, Inc.", CN = RapidSSL Global TLS RSA4096 SHA256 2022 CA1

In the example below, only the certificate is present.

root@noid-ee-01:~# openssl crl2pkcs7 -nocrl -certfile certificate.pem | openssl pkcs7 -print_certs -noout 
subject=CN = mydomain.com
issuer=C = US, O = "DigiCert, Inc.", CN = RapidSSL Global TLS RSA4096 SHA256 2022 CA1

subject=C = US, O = "DigiCert, Inc.", CN = RapidSSL Global TLS RSA4096 SHA256 2022 CA1
issuer=C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA

In the example below, both the certificate and the Intermediate are present.

Replace certificate.pem with the path to your SSL certificate file.

Also, use OpenSSL to view the certificate chain presented by the SSL server during the handshake. Run the following command:

root@noid-ee-01:~# openssl s_client -connect mydomain.com:443 -showcerts

Replace mydomain.com with the domain name of the SSL-enabled server you want to connect to.

Look for the sections labeled Certificate chain or Certificate chain (PEER). This will show the certificates presented by the server, starting from the end-entity certificate and ending with the root CA certificate.

Verify intermediate and Root CA Certificates by examining each certificate in the chain to verify whether both the intermediate and root CA certificates are present.
Intermediate CA Certificate: Look for a certificate in the chain that matches the issuer of the end-entity certificate but precedes it.
Root CA Certificate: Verify that the last certificate in the chain is the root CA certificate.

Alternatively, you can use online SSL validation tools that automatically check the certificate chain and verify whether intermediate and root CA certificates are present. Tools like SSL Labs’ SSL Server Test or DigiCert’s SSL Installation Diagnostics Tool can provide detailed information about the certificate chain.

By following these steps, you can verify whether intermediate and root CA certificates are present in an SSL certificate and ensure the integrity and security of your SSL/TLS connections.

SHARE ON: #
What are your Feelings

Powered by BetterDocs