This document introduces the requirements on SSL certificates and describes how to convert certificate formats.
privateKey.pem. Please keep it private.
openssl genrsa -out privateKey.pem 2048
server.csr. It can be used for certificate application.
openssl req -new -key privateKey.pem -out server.csr
You can check for applicable rules or instructions provided by the CA when issuing the certificate.
Certificate format and certificate chain format
Below are examples of certificate and certificate chain formats. Please confirm the format before upload:
Certificate issued by a root CA: PEM format on Linux, as shown below:
Certificate rules are:
Certificate chain from an intermediate CA:
Certificate chain rules:
Below is an example:
RSA private key can include all private keys (RSA and DSA), public keys (RSA and DSA), and (X.509) certificates. It stores data in Base64-encoded DER format and is wrapped by ASCII headers, making it suitable for transmission in text mode between systems.
RSA private key rules:
If your private key does not start with "——-BEGIN PRIVATE KEY——-" and end with "——-END PRIVATE KEY——-", you can convert it in the following way:
openssl rsa -in old_server_key.pem -out new_server_key.pem
You can then upload
new_server_key.pem content together with the certificate.
Currently, CLB only supports certificates in PEM format. Certificates in other formats need to be converted to PEM format first before uploading to CLB. We recommend you use OpenSSL. The following shows how to convert several common formats to PEM.
DER format is generally used on Java platforms.
openssl x509 -inform der -in certificate.cer -out certificate.pem
openssl rsa -inform DER -outform PEM -in privatekey.der -out privatekey.pem
P7B format is generally used on Windows Server and Tomcat.
openssl pkcs7 -print_certs -in incertificat.p7b -out outcertificate.cer
outcertificat.certo upload as certificate.
PFX format is generally used on Windows Server.
openssl pkcs12 -in certname.pfx -nokeys -out cert.pem
openssl pkcs12 -certname.pfx -nocerts - .pem -nodes
You can convert certificates in CER/CRT formats to PEM by directly modifying their file extension names. For example, you can directly rename the
servertest.crt certificate file as