You're viewing Apigee Edge documentation.
Go to the
Apigee X documentation. info
This document explains how to convert the TLS certificate and associated Private key to the PEM or the PFX (PKCS #12) formats.
Apigee Edge supports storing only PEM or PFX format certificates in keystores and truststores. The steps used to convert certificates from any existing format to PEM or PFX formats rely on the OpenSSL toolkit, and are applicable on any environment where OpenSSL is available.
Before you begin
Before you use the steps in this document, be sure you understand the following topics:
- If you aren’t familiar with the PEM or PFX format, read About TLS/SSL.
- If you aren’t familiar with certificate formats, read SSL Certificate formats.
- If you aren’t familiar with the OpenSSL library, read OpenSSL.
- If you want to use the command-line examples in this guide, install or update to the latest version of the OpenSSL client.
Converting certificate from DER format to PEM format
This section describes how to convert a certificate and associated private key from the DER format to the PEM format.
-
Transfer the file containing the complete certificate chain (
certificate.der
) and associated private key (private_key.der
) that you want to convert to PEM format to a machine where OpenSSL is installed usingscp
,sftp
or any other utility.For example, use the
scp
command to transfer the file to the/tmp
directory on the server containing OpenSSL as follows:scp certificate.der servername:/tmp scp private_key.der servername:/tmp
Where servername is the name of the server containing OpenSSL.
- Login to the machine where OpenSSL is installed.
-
From the directory where the certificates are located, run the following command to
convert the certificate and associated private key from DER format to PEM format:
openssl x509 -inform DER -in certificate.der -outform PEM -out certificate.pem openssl rsa -inform DER -in private_key.der -outform PEM -out private.key
- Verify that the certificate is converted to PEM format.
Converting certificate from P7B format to PEM format
This section describes how to convert certificates from the P7B format to the PEM format.
- Transfer the file containing the complete certificate chain (
certificate.p7b
) that you want to convert to PEM format to a machine where OpenSSL is installed usingscp
,sftp
or any other utility.For example, use the
scp
command to transfer the file to the/tmp
directory on the server containing OpenSSL as follows:scp certificate.p7b servername:/tmp
Where servername is the name of the server containing OpenSSL.
- Login to the machine where OpenSSL is installed.
-
From the directory where the certificates are located, run the following command to convert
the certificate from P7B format to PEM format:
openssl pkcs7 -print_certs -in certificate.p7b -out certificate.pem
- Verify that the certificate is converted to PEM format.
Converting certificate from PFX format to PEM format
This section describes how to convert TLS certificates from the PFX format to the PEM format.
When converting a PFX file to PEM format, OpenSSL puts all the certificates and the private key
into a single file. You will need to open the file in a text editor and copy each certificate
and private key (including the BEGIN/END statements) to individual text files and save them as
certificate.pfx
, Intermediate.pfx
(if applicable),
CACert.pfx
, and privateKey.key
respectively.
Apigee does support the PFX/PKCS #12 format; however, the PEM format is convenient for many reasons including validation.
-
Transfer the certificates and private key (
certificate.pfx
,Intermediate.pfx
CACert.pfx
,privateKey.key
) that you want to convert to PEM format to a machine where OpenSSL is installed usingscp
,sftp
or any other utility.For example, use the
scp
command to transfer the file to the/tmp
directory on the server containing OpenSSL as follows:scp certificate.pfx servername:/tmp
Where servername is the name of the server containing OpenSSL.
- Login to the machine where OpenSSL is installed.
-
From the directory where the certificates are located, run the following command to convert
the certificate from P7B format to PEM format:
openssl pkcs12 -in certificate.pfx -out certificate.pem -nodes
- Verify that the certificate is converted to PEM format.
Converting certificate from P7B format to PFX format
This section describes how to convert TLS certificates from the P7B format to the PFX format.
To convert to the PFX format, you need to get the private key as well.
-
Transfer the certificate (
certificate.p7b
) that you want to convert to PFX to a machine where OpenSSL is installed usingscp
,sftp
or any other utility.For example, use the
scp
command to transfer the file to the/tmp
directory on the server containing OpenSSL as follows:scp certificate.p7b servername:/tmp scp private_key.key servername:/tmp
Where servername is the name of the server containing OpenSSL.
- Login to the machine where OpenSSL is installed.
-
From the directory where the certificates are located, run the following commands to convert
the certificate from P7B to PFX format and export the entity and Intermediate CA
certificates into separate files:
openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer openssl pkcs12 -export -in certificate.cer -inkey private_key.key -out certificate.pfx -certfile CACert.cer
Verifying certificate is in PEM format
This section describes how to verify that the certificate is in PEM format.
- To view the certificate that is in PEM format, run the following command:
openssl x509 -in certificate.pem -text -noout
- If you are able to view the contents of the certificate in a human-readable format without any errors, then you can confirm that the certificate is in PEM format.
-
If the certificate is in any other format, then you will see errors like the following:
unable to load certificate 12626:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:647:Expecting: TRUSTED CERTIFICATE View DER encoded Certificate
Packaging PEM key and certificate files into PKCS12/PFX
-
Ensure the private key file is in PEM format. For the certificate, if you have separate PEM files for your chain, open each file in a text editor and concatenate them into a single file as shown below:
-----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE-----
-
Transfer the files to a machine where OpenSSL is installed using
scp
,sftp
, or any other utility:scp certificate.pem servername:/tmp scp private.key servername:/tmp
- Log in to the machine where OpenSSL is installed.
-
From the directory where the files are located, run the following command to package the files into a PKCS12 file with alias myalias. When prompted, enter an appropriate password:
openssl pkcs12 -export -in certificate.pem -inkey private.key -out keystore.pfx -name myalias