Connect with us

Hi, what are you looking for?

Cisco IronPort

How to convert an SSL cert to a .pem for installation on Citrix and Cisco appliances

Often times you might have to add an SSL cert to a Cisco or Citrix appliance (like a Netscaler) but it only accepts the SSL cert and private key in a certain format.  Your CA (certificate authority) will issue the SSL cert to you as a .crt.  From there, you need to package the cert with the private key and in the format your appliance requires.  There are different ways to do this and one easy way I like is using IIS and OpenSSL which is a free open source tool and can be downloaded here:  http://www.openssl.org

1. Create a temporary site in IIS and generate a CSR.  Make sure the CN (common name) you enter matches whatever appliance you are trying to generate it for exmp:  wireless.mycompany.com

2.  Submit the CSR to your CA such as Verisign, GoDaddy, Network Solutions, etc. and wait for them to validate and issue your cert.

Advertisement. Scroll to continue reading.

3. Get the .crt from the CA once they issue it and convert it to .cer.  Just open the .crt by double clicking on it and and save it as .cer using the export wizard.  This is necessary since IIS does not accept .crt.

   

 

4. Install the .cer in IIS using the Web Server Certificate Wizard where you originally generated the CSR.  Just process the pending request to install it.

5. View the cert in IIS and export it with the private key in pkcs12 (.pfx) format.  Just set the password as “password” since you will be deleting it after conversion is complete later.

Advertisement. Scroll to continue reading.

6. Go to the directory where OpenSSL.exe is and type in the following to convert the .pfx to a .pem

openssl pkcs12 -in nameofcert.pfx -out nameofcert.pem

7. Type the “password” when prompted for the pass phrase.

8. Install the .pem on the appliance and it should work

Advertisement. Scroll to continue reading.

IMPORTANT NOTE:

If you are doing it for some appliances like a Cisco IronPort, you need to add the nodes switch when creating the .pem:

openssl pkcs12 -in nameofcert.pfx -out nameofcert.pem –nodes

The –nodes switch ensures that the key inside the .pem is left unencrypted.  If you attempt to install a .pem created without the -nodes switch, the appliance will take the cert but will not accept the private key since it cannot read it in an encrypted state.

Advertisement. Scroll to continue reading.
2 Comments

2 Comments

  1. robert langdon

    February 4, 2010 at 8:15 AM

    Hello all,
    I get the folowing results when I execute a curl command attempting to
    access a secure site:

    D:\cURL\ssl>curl -v –cacert mycert.pem -o test.txt
    “https://mydomain.mycompany.com/DWNLD.asp?id=128”
    * About to connect() to mydomain.mycompany.com:443
    * Connected to mydomain.mycompany.com (vvv.xxx.yyy.zzz) port 443
    * SSL: error:00000000:lib(0):func(0):reason(0)
    * Closing connection #0
    curl: (35) SSL: error:00000000:lib(0):func(0):reason(0)

    D:\cURL\ssl>

    I am using curl-7.10.3 ssl version under Win32.

    Here is how I generate mycert.pem from SSL certificate of web site
    https://mydomain.mycompany.com:
    (a) Open up https://mydomain.mycompany.com using MSIE 5.5
    (b) Double click on the lock sign on MSIE status bar
    (c) Click on Details tab
    (d) Click on “Copy to File” button
    (e) Click on Next on Certificate Export Wizard window
    (f) Select “Base-64 encoded X.509 (.CER)” and then click on Next
    (g) Enter d:\mycert.cer into file name input area
    (h) Press Finish button to complete exporting certificate
    (i) and finally use openssl to generte mycert.pem file
    openssl x509 -in mycert.cer -outform PEM -out mycert.pem

    What am I doing wrong here? Can anybody tell me how to get .pem file
    from IIS or the secure site itself?

    By the way, when I turn off cURL’s certificate verification
    (by using -k option instead of –cacert), the above cURL command
    runs with no errors.

    Thanks a lot,

  2. Clement

    September 15, 2015 at 4:10 AM

    Hello,

    Whats the best way to convert .pem files from a Cisco ACE appliance to a usable .pem format for Netscaler 10.5.

    I keep running into “Not a server certificate” error on the Netscaler while binding the certificate (created using the .pem file) to an SSL service.

    Thanks
    Clement

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like

Apache

Today I would like to go over proper URL redirection when using SSL but first I would like to preface this by describing what...

Exchange 2003

A useful Exchange 2003 guide I wrote for a friend’s blog originally but I am posting it here on mine now for your viewing...

Citrix Workspace

You can use FIDO2 hardware security keys plugged into your physical desktop over the Citrix HDX remoting protocol for use with virtualized Windows Desktop...

Cloud Design Architecture

The community-driven paperback book initiated by my friends Bas van Kaam and Christiaan Brinkhoff is available for sale on Amazon. If you haven’t picked...

Advertisement

JasonSamuel.com was launched in 2008 as a platform to give back to the IT community by sharing knowledge and expertise. Over the years, it has become a trusted global resource for the latest insights, how-to guides, and thought leadership on enterprise mobility, security, virtualization, cloud architecture, automation, and other cutting-edge technologies. Today, it serves as a go-to reference hub for IT professionals, attracting hundreds of thousands of unique visitors from around the world each month. Learn more on the About Me page.
Copyright © 2008-2025 JasonSamuel.com