Google is committed to advancing racial equity for Black communities. See how.

Converting certificates to supported format

This document explains how to convert the TLS certificate and associated Private key to the PEM or the PFX (PKCS #12) formats.

Apigee Edge supports storing only PEM or PFX format certificates in keystores and truststores. The steps used to convert certificates from any existing format to PEM or PFX formats rely on the OpenSSL toolkit, and are applicable on any environment where OpenSSL is available.

Before you begin

Before you use the steps in this document, be sure you understand the following topics:

  • If you aren’t familiar with the PEM or PFX format, read About TLS/SSL.
  • If you aren’t familiar with certificate formats, read SSL Certificate formats.
  • If you aren’t familiar with the OpenSSL library, read OpenSSL.
  • If you want to use the command-line examples in this guide, install or update to the latest version of the OpenSSL client.

Converting certificate from DER format to PEM format

This section describes how to convert a certificate and associated private key from the DER format to the PEM format.

  1. Transfer the file containing the complete certificate chain (certificate.der) and associated private key (private_key.der) that you want to convert to PEM format to a machine where OpenSSL is installed using scp, sftp or any other utility.

    For example, use the scp command to transfer the file to the /tmp directory on the server containing OpenSSL as follows:

    scp certificate.der servername:/tmp
    scp private_key.der servername:/tmp
    

    Where servername is the name of the server containing OpenSSL.

  2. Login to the machine where OpenSSL is installed.
  3. From the directory where the certificates are located, run the following command to convert the certificate and associated private key from DER format to PEM format:
    openssl x509 -inform DER -in certificate.der -outform PEM -out certificate.pem
    openssl rsa -inform DER -in private_key.der -outform PEM -out private.key
    
  4. Verify that the certificate is converted to PEM format.

Converting certificate from P7B format to PEM format

This section describes how to convert certificates from the P7B format to the PEM format.

  1. Transfer the file containing the complete certificate chain (certificate.p7b) that you want to convert to PEM format to a machine where OpenSSL is installed using scp, sftp or any other utility.

    For example, use the scp command to transfer the file to the /tmp directory on the server containing OpenSSL as follows:

    scp certificate.p7b servername:/tmp
    

    Where servername is the name of the server containing OpenSSL.

  2. Login to the machine where OpenSSL is installed.
  3. From the directory where the certificates are located, run the following command to convert the certificate from P7B format to PEM format:
    openssl pkcs7 -print_certs -in certificate.p7b -out certificate.pem
    
  4. Verify that the certificate is converted to PEM format.

Converting certificate from PFX format to PEM format

This section describes how to convert TLS certificates from the PFX format to the PEM format.

When converting a PFX file to PEM format, OpenSSL puts all the certificates and the private key into a single file. You will need to open the file in a text editor and copy each certificate and private key (including the BEGIN/END statements) to individual text files and save them as certificate.pfx, Intermediate.pfx (if applicable), CACert.pfx, and privateKey.key respectively.

Apigee does support the PFX/PKCS #12 format; however, the PEM format is convenient for many reasons including validation.

  1. Transfer the certificates and private key (certificate.pfx, Intermediate.pfx CACert.pfx, privateKey.key) that you want to convert to PEM format to a machine where OpenSSL is installed using scp, sftp or any other utility.

    For example, use the scp command to transfer the file to the /tmp directory on the server containing OpenSSL as follows:

    scp certificate.pfx servername:/tmp
    

    Where servername is the name of the server containing OpenSSL.

  2. Login to the machine where OpenSSL is installed.
  3. From the directory where the certificates are located, run the following command to convert the certificate from P7B format to PEM format:
    openssl pkcs12 -in certificate.pfx -out certificate.pem -nodes
    
  4. Verify that the certificate is converted to PEM format.

Converting certificate from P7B format to PFX format

This section describes how to convert TLS certificates from the P7B format to the PFX format.

To convert to the PFX format, you need to get the private key as well.

  1. Transfer the certificate (certificate.p7b) that you want to convert to PFX to a machine where OpenSSL is installed using scp, sftp or any other utility.

    For example, use the scp command to transfer the file to the /tmp directory on the server containing OpenSSL as follows:

    scp certificate.p7b servername:/tmp
    scp private_key.key servername:/tmp
    

    Where servername is the name of the server containing OpenSSL.

  2. Login to the machine where OpenSSL is installed.
  3. From the directory where the certificates are located, run the following commands to convert the certificate from P7B to PFX format and export the entity and Intermediate CA certificates into separate files:
    openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer
    
    openssl pkcs12 -export -in certificate.cer -inkey private_key.key -out certificate.pfx -certfile CACert.cer
    

Verifying certificate is in PEM format

This section describes how to verify that the certificate is in PEM format.

  1. To view the certificate that is in PEM format, run the following command:
    openssl x509 -in certificate.pem -text -noout
    
  2. If you are able to view the contents of the certificate in a human-readable format without any errors, then you can confirm that the certificate is in PEM format.
  3. If the certificate is in any other format, then you will see errors like the following:
    unable to load certificate
    12626:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:647:Expecting: TRUSTED CERTIFICATE View DER encoded Certificate