How to create a .pem file for SSL Certificate Installations

  • 7013103
  • 26-Aug-2013
  • 14-Jun-2019

Environment

SUSE Linux Enterprise Server

Situation

How to create a .pem file for SSL Certificate Installations

Resolution

Privacy Enhanced Mail (PEM) files are concatenated certificate containers frequently used in certificate installations when multiple certificates that form a complete chain are being imported as a single file. They are a defined standard in RFCs 1421 through 1424. They can be thought of as a layered container of chained certificates. A .pem file is a container format that may just include the public certificate or the entire certificate chain (private key, public key, root certificates):

  • Private Key
  • Server Certificate (crt, puplic key)
  • (optional) Intermediate CA and/or bundles if signed by a 3rd party

How to create a self-signed PEM file

openssl req -newkey rsa:2048 -new -nodes -x509 -days 3650 -keyout key.pem -out cert.pem

How to create a PEM file from existing certificate files that form a chain

  • (optional) Remove the password from the Private Key by following the steps listed below:
    openssl rsa -in server.key -out nopassword.key
    Note: Enter the pass phrase of the Private Key.

  • Combine the private key, public certificate and any 3rd party intermediate certificate files:
    cat nopassword.key > server.pem
    cat server.crt >> server.pem
    Note: Repeat this step as needed for third-party certificate chain files, bundles, etc:
    cat intermediate.crt >> server.pem

Additional Information

How to create a PEM file with the help of an automated script:
  • Download NetIQ Cool Tool OpenSSL-Toolkit.
  • Select Create Certificates | PEM with key and entire trust chain
  • Provide the full path to the directory containing the certificate files.
  • Provide the filenames of the following:
    • private key
    • public key (server crt)
    • (conditional) password for private key
    • (conditional) any intermediate certificate chain file(s)

For additional information, please see TID 7015502 - Common Mistakes in SSL Certificate Management & Implementation.

The following details the structure of a typical .pem file (including the entire certificate chain):
-----BEGIN RSA PRIVATE KEY----- 
(Private Key: domain_name.key contents)
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
(Primary SSL certificate: domain_name.crt contents)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Intermediate certificate: certChainCA.crt contents)
-----END CERTIFICATE----