skip to main content
Welcome to DataDirect Hybrid Data Pipeline : Deployment scenarios : Standalone deployment : SSL certificates for standalone deployment : The PEM file : Generating a PEM file
  

Try Now
Generating a PEM file
A PEM file must consist of a private key, a CA server certificate, and additional certificates that make up the trust chain. The trust chain must contain a root certificate and, if needed, intermediate certificates.
You may need to create a PEM file by converting different key and certificate files into separate PEM files, and then concatenating these files into a single PEM file. In some cases, you may need to first convert key and certificate files into a PKCS12 file and then convert the PKCS12 file into a PEM file. The resulting PEM file should include the private key and required certificates, as shown in PEM file format.
The following sections describe a number of ways to convert key and certificate files, using OpenSSL or the Java keytool as appropriate.
*Converting a PKCS12 (pfx) file to a PEM file
*Converting a Java jks keystore file to a PKCS12 file
*Converting PKCS7 (p7b) file certificates to PEM file certificates
*Converting PKCS7 file certificates to PKCS12 file certificates and adding the private key to the PKCS12 file
*Converting DER certificates to PEM file certificates
*Creating a PEM file from a private key and Base64 encoded certificates

Converting a PKCS12 (pfx) file to a PEM file

1. Use the following OpenSSL command to determine whether the private key is password protected.
openssl pkcs12 -info -in target.pfx
a. If the key is password protected, you will be prompted for a password. Proceed to Step 2.
b. If the key is not password protected, then information on the PKCS12 file, such as file structure and algorithms used, is provided. Proceed to Step 5.
2. Enter the password when prompted. Information on the PKCS12 file, such as file structure and algorithms used, is provided.
3. Use the following OpenSSL command to extract the private key from the PKCS12 file.
openssl pkcs12 -in target.pfx -nocerts -out ppkey.pem
4. Remove the passphrase from the private key. Then, skip to Step 6.
openssl rsa -in ppkey.pem -out privatekey.pem
5. Use the following OpenSSL command to extract the private key from the PKCS12 file.
openssl pkcs12 -in target.pfx -nocerts -out privatekey.pem
6. Extract the root certificates from the PKCS12 file.
openssl pkcs12 -in rootcert.pfx -cacerts -nodes -nokeys > rootcert.pem
7. Extract server certificates from the PKCS12 file.
openssl pkcs12 -in servercert.pfx -clcerts -nodes -nokeys > servercert.pem
8. Concatenate the certificates and private key in a single PEM file. In this example, the Linux/UNIX cat command is used to concatenate root certificate, server certificate, and private key.
cat rootcert.pem servercert.pem privatekey.pem > server.bundle.pem
9. Confirm that the PEM file has the private key and the required certificates as described in PEM file format.
The resulting server.bundle.pem file should be specified during the installation of the Hybrid Data Pipeline server.

Converting a Java jks keystore file to a PKCS12 file

A Java jks keystore file must first be converted to a PKCS12 file. The PKCS12 file can then be converted to a PEM file.
1. Use the following Java keytool command to convert the jks file into a pfx file.
keytool -importkeystore -srckeystore keystore.jks -srcstoretype JKS -deststoretype PKCS12 -destkeystore target.pfx
2. Enter the keystore password and keystore file alias when prompted.
3. Use the resulting target.pfx file to create a PEM file by following the instructions in Converting a PKCS12 (pfx) file to a PEM file.

Converting PKCS7 (p7b) file certificates to PEM file certificates

These instructions assume that the private key is already available as a PEM file.
1. Use the following OpenSSL command to convert PKCS7 file certificates to PEM file certificates.
openssl pkcs7 -print_certs -in certificates.p7b -out certificates.pem
2. Concatenate the certificate and private key files. In this example, the Linux/UNIX cat command is used.
cat certificates.pem privatekey.pem > server.bundle.pem
3. Confirm that the resulting PEM file has the private key and the required certificates as described in PEM file format.
The resulting server.bundle.pem file should be specified during the installation of the Hybrid Data Pipeline server.

Converting PKCS7 file certificates to PKCS12 file certificates and adding the private key to the PKCS12 file

After the certificate and private key files have been converted to the PKCS12 format, the PKCS12 file can then be converted to a PEM file.
1. Use the following OpenSSL command to convert a PKCS7 file to a PKCS12 file.
openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer
2. Use the following command to add the private key to the PKCS12 file.
openssl pkcs12 -export -in certificate.cer -inkey privatekey.key -out target.pfx -certfile CACert.cer
3. Use the resulting target.pfx file to create a PEM file by following the instructions in Converting a PKCS12 (pfx) file to a PEM file.

Converting DER certificates to PEM file certificates

The DER extension is used for binary DER files. These files may also use the CER and CRT extensions.
These instructions assume that the private key is already available as a PEM file.
1. Use the following OpenSSL command to convert DER certificates to PEM file certificates.
openssl x509 -inform der -in certificates.cer -out certificates.pem
2. Concatenate the certificate and private key files. In this example, the Linux/UNIX cat command is used.
cat certificates.pem privatekey.pem > server.bundle.pem
3. Confirm that the PEM file has the private key and the required certificates as described in PEM file format.
The resulting server.bundle.pem file should be specified during the installation of the Hybrid Data Pipeline server.

Creating a PEM file from a private key and Base64 encoded certificates

PEM files use Base64 encoding. Therefore, no conversion process is required. However, the Base64 encoded certificates and the private key must be concatenated in a single PEM file.
These instructions assume that the private key is already available as a PEM file.
1. Concatenate the certificate and private key files. In this example, the Linux/UNIX cat command is used.
cat Base64rootcert.pem Base64servercert.pem privatekey.pem > server.bundle.pem
2. Confirm that the PEM file has the private key and the required certificates as described in PEM file format
The resulting server.bundle.pem file should be specified during the installation of the Hybrid Data Pipeline server.