Description of Certificate Format
After you configure the HTTPS certificate, you can access the resources through HTTPS to realize HTTPS security acceleration. The HTTPS configuration only supports uploading the certificate and private key content in PEM format. Different certificate issuing authorities have different requirements for uploading the certificate content. This document introduces the certificate formats supported by Baidu Cloud CDN and the method for conversion between different certificate formats. For the specific operation method for applying for a certificate via Baidu AI Cloud, refer to SSL Certificate Service.
The certificate issued by Root CA is unique and generally includes Apache, IIS, Nginx, and Tomcat. The certificate used by Baidu AI Cloud CDN is Nginx, which contains a file with the suffix as .crt (certificate) and a file with the suffix as .key (private key). Enter the Nginx folder and use a text editor to open the .crt and .key files.
Certificate PEM Format
- The certificate-----begins with-----BEGIN CERTIFICATE and -----ends-----with END CERTIFICATE;
- Each line has 64 characters, and the last line does not exceed 64 characters.
- The certificate content does not contain any spaces.
- The certificate needs to be within the validity period (certificate start time <= validity period <= certificate expiration time).
The figure shows a certificate example in PEM format:
If the certificate is issued by an intermediate CA authority, the certificate file you get contains multiple certificates, and you need to manually splice the server certificate with the intermediate certificate for uploading.
Certificate chain format issued by intermediate institutions
- Put the first copy of the server certificate and the second copy of the intermediate certificate, which are separated by a newline character, and have no blank line.
- In general, the organizations provide corresponding instructions when they issue the certificate. Please see the Rule Description.
It is shown in the figure below:
The private key extension is generally ".pem" or ".key". Open the private key file in a text editor.
Private key PEM format
- The private key begins with BEGIN RSA PRIVATE KEY and ends with END RSA PRIVATE KEY.
- The private key cannot be encrypted. That is, the password parameter cannot be added when executing the command to generate the private key.
- The content in the middle includes 64 characters per line, and the last line can have a length of fewer than 64 characters.
The figure shows an example of a private key in PEM format:
If you get a private key starting with "-----BEGIN PRIVATE KEY-----" and ending with "-----END PRIVATE KEY-----", you need to use the OpenSSL tool to execute the following command for conversion. The command is shown in the figure below, and then the content of new_server_key.pem is uploaded together with the certificate.
openssl rsa -in old_server_key.pem -out new_server_key.pem
The HTTPS configuration only supports certificates in PEM format. Certificates in other formats need to be converted to PEM format. It is recommended to use the OpenSSL tool for conversion. The following gives some popular methods for converting certificate format to PEM format.
The DER format generally appears in the Java platform.
openssl x509 -inform der -in certificate.cer -out certificate.pem
Private key conversion:
openssl rsa -inform DER -outform PEM -in privatekey.der -out privatekey.pem
The P7B format generally appears in Windows Server and Tomcat.
openssl pkcs7 -print_certs -in incertificat.p7b -out outcertificate.cer
You can open outcertificat.cer with a text editor to view the certificate contents in PEM format.
Private key conversion: The private key can generally be exported in the IIS server.
The PFX format generally appears in the Windows Server.
openssl pkcs12 -in certname.pfx -nokeys -out cert.pem
Private key conversion:
openssl pkcs12 -in certname.pfx -nocerts -out key.pem -nodes