Using my CA Signed Certificate?
Environment
- Red Hat Enterprise Linux
Issue
- I have just issued a Certificate Signing Request and sent it to my CA, but do not know what to do with the files they have provided.
Resolution
What to do with the certificates depends on 2 things.
- What Web-server or Service are you trying to configure?
- What did the CA provide you?
While the Red Hat Knowledge Base has several articles on how to set up your web-server or services with SSL this is less of an issue, as these articles will explain what you need to configure SSL/TLS or https, as well as what format the certificates should be in.
Examples of these articles include:
- How do I configure Apache to use SSL
- How do I set up Tomcat to use SSL
- How do I set up JBoss to use SSL
Depending on what the CA provided you the articles above may need you to convert you certificates to a different format before a setup an configuration can be competed. Generally a CA will provide you with one or more files that contain 1 to MANY certificates. The important thing to remember here is that the CA is sending you two items:
- Your SSL Certificate (often referred to as the server certificate)
- You Certificate Chain (often referred to as the CA chain)
- This can be on certificate or many, it can also be one file or many.
- Typically this is made up of two certificates (root CA certificate, and the intermediary ca certificate).
The most typical examples of what a CA proves are broken up into the following:
- PEM or DER based files
- These are plain text or base 64 encoded files, and generally one file is thought to be one certificate.
- Typical in this case you will receive 3 files (server certificate, root ca certificate, intermediary certificate).
- Certificate Bundle
- A certificate bundle is simply a single file that has multiple certificates within it, each listed one after another.
- In this case you can receive 1 or 2 files (server certificate, and certificate chain [containing your root ca certificate, and your intermediary certificate]).
- Certificate (as a Certificate Store)
- In this case you will almost always receive a single file, that contains all of your certificates, internally separated into what are known as keys and trusts.
- Keys are the certificates that you present to an SSL endpoint.
- Trusts are what you use to verify the identity of a provided SSL certificate.
- There are two primary types of files that you will receive in this case PKCS7 (.p7) or a PKCS12 (.p12), also called a PFX certificate, in some cases.
- Note: file extensions can differ as they are not important what is in the file.
- In this case you will almost always receive a single file, that contains all of your certificates, internally separated into what are known as keys and trusts.
So long as your CA has provided you with a Certificate Bundle or PEM/DER based files there should not be any need to convert what is provided.
- Note: if you are using a Java application or service this may not be the case. You should see How to build Certificates for use with Java applications to see the proper process for issuing a CSR and importing the certificates (PEM/DER) files to the keystore.
In the case your CA provided you with a Certificate Store (PKCS7 or PKCS12) file then you can convert the certificates within using the appropriate Content from www.openssl.org is not included.openssl commands (Content from www.openssl.org is not included.pkcs7 and Content from www.openssl.org is not included.pkcs12).
Diagnostic Steps
- See the contents of a pkcs7 file.
# openssl pkcs7 -in file.pem -text
- Export all of your Certificates from a pkcs7 file to a Certificate Bundle.
- From this you can copy and paste your certificates into a chain or bundle as you desire.
# openssl pkcs7 -in file.pem -print_certs -out certs.pem
- Convert your pkcs7 file into a pkcs12 file.
- Note: the privatekey.key is created when creating the Certificate Signing Request.
# openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer
# openssl pkcs12 -export -in certificate.cer -inkey privateKey.key -out certificate.p12 -certfile CACert.cer
- See the contents of a pkcs12 file.
# openssl pkcs12 -in file.p12 -info
- Convert or Export your Client Certificate from a pkcs12 file
# openssl pkcs12 -in file.p12 -clcerts -out file.pem
- Convert or Export your CA Chain of Certificate from a pkcs12 file to a Certificate Bundle.
# openssl pkcs12 -in file.p12 -cacerts -out ca_bundle.pem
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.