All Documents
Current Document

Content is empty

If you don't find the content you expect, please try another search term

Documentation

Certificate configuration

Last updated:2021-05-26 16:59:48

Certificate format requirements

  • You must apply for a certificate in the PEM format that is to be used in Linux.

  • A certificate file issued by a root certificate authority (CA) contains a single certificate. You only need to upload the certificate to SLB. The website that is configured with the certificate will be regarded as a trusted website and does not require additional certificates.

  • A certificate file issued by an intermediate CA contains multiple certificates. One certificate is the server certificate and the others are the intermediate certificates. You must concatenate the certificates as required and then upload the result to SLB.

  • If your certificate file contains a certificate chain, you must convert the certificate chain content to the PEM format before you concatenate certificates.

  • To concatenate certificates, put the server certificate first and then put the intermediate certificates. No blank lines are allowed between certificates. Typically, the CA provides usage guidelines when it issues the certificate file. Follow the usage guidelines.

The following content shows the formats and examples of a certificate and certificate chain. Make sure that the formats are correct before you upload certificates.

  1. The following figure shows a sample certificate issued by a root CA, which is in PEM format for Linux.

Alt text

Certificates must comply with the following format rules:

  • The first line must be -----BEGIN CERTIFICATE-----. The last line must be -----END CERTIFICATE-----. These two lines must be uploaded together with the certificate content.
  • The last certificate content line can contain up to 64 characters. Each of the other certificate content lines must contain 64 characters.
  1. The following example shows a sample certificate chain that is issued by an intermediate CA: -----BEGIN CERTIFICATE----- -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- -----END CERTIFICATE-----

Certificate chains must comply with the following format rules:

  • No blank lines are allowed between certificates.
  • Each certificate must conform to the rules for a certificate issued by a root CA.

Requirements on RSA private key formats

The following figure shows a sample RSA private key.

Alt text

An RSA private key must meet the following format requirements:

  • The first line must be -----BEGIN RSA PRIVATE KEY-----. The last line must be -----END RSA PRIVATE KEY-----. These two lines must be uploaded together with the key content.
  • The last key content line can contain up to 64 characters. Each of the other key content lines must contain 64 characters.

If an RSA private key does not meet the format requirements, run the following command to convert the key:

openssl rsa -in old_server_key.pem -out new_server_key.pem

Then, upload the content of the new_server_key.pem file together with the certificates.

Certificate format conversion to the PEM format

Currently, Kingsoft Cloud SLB supports only certificates in the PEM format. To upload a certificate in a different format, you must convert the format to the PEM format. We recommend that you use the openssl tool to convert the format. The following sections describe format conversion methods for some popular certificate formats:

From the DER format to the PEM format

The DER format is typically used on a Java platform.

Use the following command for certificate format conversion:

openssl x509 -inform der -in certificate.cer -out certificate.pem

Use the following command for private key format conversion:

openssl rsa -inform DER -outform PEM -in privatekey.der -out privatekey.pem

From the P7B format to the PEM format

The P7B format is typically used on a Windows server or Tomcat platform.

Use the following command for certificate format conversion: openssl pkcs7 -print_certs -in incertificat.p7b -out outcertificate.cer

Obtain and upload the part in the outcertificat.cer file that starts with -----BEGIN CERTIFICATE----- and ends with -----END CERTIFICATE----- as the certificate.

No private key exists in this case.

From the PFX format to the PEM format

The PFX format is typically used on a Windows server.

Use the following command for certificate format conversion:

openssl pkcs12 -in certname.pfx -nokeys -out cert.pem

Use the following command for private key format conversion:

openssl pkcs12 -in certname.pfx -nocerts -out key.pem -nodes

On this page
Pure ModeNormal Mode

Pure Mode

Click to preview the document content in full screen
Feedback