DescriptionCreate SSL Certificate Bundle with Files Returned from Certificate Authority
ScopeVersion: N/A
SolutionVersion: N/A
If installing SSL certificates in a Network Sentry Control, Application or Analytics Server via CLI, three files are used:
- private key
- leaf certificate
- certificate bundle (intermediate and root certificates)
If several intermediate certificate files are received (as opposed to a single CA bundle), the files should be merged into a bundle before importing.
Note: This procedure assumes all intermediate files have been provided by the Certificate Authority (CA).
Procedure:
1. Confirm the files are in PEM format. When opened in a text editor, the content should look similar to the format:
-----BEGIN CERTIFICATE1-----
sajaisjkajfsdvjJV;kjvd;Kjv;Js;FDJVKjv
-----END CERTIFICTATE1-----
If the content does not have these types of headers, convert to PEM format first.
Convert DER/Binary to PEM Format:
openssl x509 -inform der -in <filename> -out <newfilename>
Example converting certificate.cer:
openssl x509 -inform der -in certificate.cer -out certificate.pem
Convert P7B/PKCS#7 to PEM Format:
openssl pkcs7 -print_certs -in <filename> -out <newfilename>
Example converting certificate.p7b:
openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer
Convert PFX/PKCS#12 to PEM Format:
openssl pkcs12 -in <filename> -out <newfilename> –nodes
Example converting certificate.pfx:
openssl pkcs12 -in certificate.pfx -out certificate.cer –nodes
2. Verify Private Key is in RSA format. Review the private key file using a text editor. Alternatively, if in Linux, the file can be viewed by running the command:
cat <filename>
If Key Header looks like this: -----BEGIN PRIVATE KEY-----
This is an indication the Key is not in the correct format and needs to be converted.
Covert the file by running the following command (on a Linux server):
openssl rsa -in <old_file_name> -out <new_file>
Header should now look like this: -----BEGIN RSA PRIVATE KEY-----
3. Append all intermediate and root files into a single text file (example: Bundle.crt). The appended files must not have any spaces between each start and end of file.
Example Bundle content:
-----BEGIN CERTIFICATE1-----
sajaisjkajfsdvjJV;kjvd;Kjv;Js;FDJVKjv
-----END CERTIFICTATE1-----
-----BEGIN CERTIFICATE2----
sajdjsaskdjfkjdskvjsadvkjBDSVKBkdjv
-----END CERTIFCATE2-----
Order is important. Put the Intermediate Certificate(s) at the top and Root at the bottom. If more than one intermediate file, place them in order. Look at the leaf certificate Issuer to determine the certificate to be listed at the top of the bundle.
Leaf certificate
Owner: CN=hostname.domain.edu
Issuer: CN= CA 1
Bundle (Bundle.crt)
Intermediate certificate 1
Owner: CN= CA 1
Issuer: CN= CA 2
Intermediate certificate 2
Owner: CN= CA 2
Issuer: CN= Root CA
Root certificate content
Owner: CN= Root CA
Example Bundle content:
-----BEGIN CERTIFICATE1-----
sajaisjkajfsdvjJV;kjvd;Kjv;Js;FDJVKjv
-----END CERTIFICTATE1-----
-----BEGIN CERTIFICATE2----
sajdjsaskdjfkjdskvjsadvkjBDSVKBkdjv
-----END CERTIFCATE2-----
-----BEGIN CERTIFICATE3----
sajdjsaskdjfkjdskvjsadvkjBDSVKBkdjv
-----END CERTIFCATE3-----
The file is now ready for import.