Often times you might have to add an SSL cert to a Cisco or Citrix appliance (like a Netscaler) but it only accepts the SSL cert and private key in a certain format. Your CA (certificate authority) will issue the SSL cert to you as a .crt. From there, you need to package the cert with the private key and in the format your appliance requires. There are different ways to do this and one easy way I like is using IIS and OpenSSL which is a free open source tool and can be downloaded here: http://www.openssl.org
1. Create a temporary site in IIS and generate a CSR. Make sure the CN (common name) you enter matches whatever appliance you are trying to generate it for exmp: wireless.mycompany.com
2. Submit the CSR to your CA such as Verisign, GoDaddy, Network Solutions, etc. and wait for them to validate and issue your cert.
3. Get the .crt from the CA once they issue it and convert it to .cer. Just open the .crt by double clicking on it and and save it as .cer using the export wizard. This is necessary since IIS does not accept .crt.
4. Install the .cer in IIS using the Web Server Certificate Wizard where you originally generated the CSR. Just process the pending request to install it.
5. View the cert in IIS and export it with the private key in pkcs12 (.pfx) format. Just set the password as “password” since you will be deleting it after conversion is complete later.
6. Go to the directory where OpenSSL.exe is and type in the following to convert the .pfx to a .pem
openssl pkcs12 -in nameofcert.pfx -out nameofcert.pem
7. Type the “password” when prompted for the pass phrase.
8. Install the .pem on the appliance and it should work
IMPORTANT NOTE:
If you are doing it for some appliances like a Cisco IronPort, you need to add the nodes switch when creating the .pem:
openssl pkcs12 -in nameofcert.pfx -out nameofcert.pem –nodes
The –nodes switch ensures that the key inside the .pem is left unencrypted. If you attempt to install a .pem created without the -nodes switch, the appliance will take the cert but will not accept the private key since it cannot read it in an encrypted state.
Jason Samuel is a visionary product leader and trusted advisor with a proven track record of shaping strategy and driving technology innovation. With extensive expertise in enterprise end-user computing, security, cloud, automation, and virtualization technologies, Jason has become a globally recognized authority in the IT industry. His career spans consulting for hundreds of Fortune 500 enterprises across diverse business sectors worldwide, delivering cutting-edge digital solutions from Citrix, Microsoft, VMware, Amazon, Google, and NVIDIA that seamlessly balance security with exceptional user experiences.
Jason’s leadership is amplified by his dedication to knowledge-sharing as an author, speaker, podcaster, and mentor within the global IT and technology community. Recognized with numerous prestigious awards, Jason’s contributions underscore his commitment to advancing technology and empowering organizations to achieve transformative results. Follow him on LinkedIn.
robert langdon
February 4, 2010 at 8:15 AM
Hello all,
I get the folowing results when I execute a curl command attempting to
access a secure site:
D:\cURL\ssl>curl -v –cacert mycert.pem -o test.txt
“https://mydomain.mycompany.com/DWNLD.asp?id=128”
* About to connect() to mydomain.mycompany.com:443
* Connected to mydomain.mycompany.com (vvv.xxx.yyy.zzz) port 443
* SSL: error:00000000:lib(0):func(0):reason(0)
* Closing connection #0
curl: (35) SSL: error:00000000:lib(0):func(0):reason(0)
D:\cURL\ssl>
I am using curl-7.10.3 ssl version under Win32.
Here is how I generate mycert.pem from SSL certificate of web site
https://mydomain.mycompany.com:
(a) Open up https://mydomain.mycompany.com using MSIE 5.5
(b) Double click on the lock sign on MSIE status bar
(c) Click on Details tab
(d) Click on “Copy to File” button
(e) Click on Next on Certificate Export Wizard window
(f) Select “Base-64 encoded X.509 (.CER)” and then click on Next
(g) Enter d:\mycert.cer into file name input area
(h) Press Finish button to complete exporting certificate
(i) and finally use openssl to generte mycert.pem file
openssl x509 -in mycert.cer -outform PEM -out mycert.pem
What am I doing wrong here? Can anybody tell me how to get .pem file
from IIS or the secure site itself?
By the way, when I turn off cURL’s certificate verification
(by using -k option instead of –cacert), the above cURL command
runs with no errors.
Thanks a lot,
Clement
September 15, 2015 at 4:10 AM
Hello,
Whats the best way to convert .pem files from a Cisco ACE appliance to a usable .pem format for Netscaler 10.5.
I keep running into “Not a server certificate” error on the Netscaler while binding the certificate (created using the .pem file) to an SSL service.
Thanks
Clement