百度智能云
All Product Document

          CDN

          • CDN
          • >
          • Operation Guide
          • >
          • Certificate Domain Name Management
          • >
          • Description of Certificate Format

          Description of Certificate Format

          Last Updated2021-10-13

          After you configure the HTTPS certificate, you can access the resources through HTTPS to realize HTTPS security acceleration. The HTTPS configuration only supports uploading the certificate and private key content in PEM format. Different certificate issuing authorities have different requirements for uploading the certificate content. This document introduces the certificate formats supported by Baidu Cloud CDN and the method for conversion between different certificate formats. For the specific operation method for applying for a certificate via Baidu AI Cloud, refer to SSL Certificate Service.

          Certificate Issued by Root CA

          The certificate issued by Root CA is unique and generally includes Apache, IIS, Nginx, and Tomcat. The certificate used by Baidu AI Cloud CDN is Nginx, which contains a file with the suffix as .crt (certificate) and a file with the suffix as .key (private key). Enter the Nginx folder and use a text editor to open the .crt and .key files.

          Certificate PEM Format

          • The certificate-----begins with-----BEGIN CERTIFICATE and -----ends-----with END CERTIFICATE;
          • Each line has 64 characters, and the last line does not exceed 64 characters.
          • The certificate content does not contain any spaces.
          • The certificate needs to be within the validity period (certificate start time <= validity period <= certificate expiration time).

          The figure shows a certificate example in PEM format:

          image.png

          Certificates Issued by Intermediate Authority

          If the certificate is issued by an intermediate CA authority, the certificate file you get contains multiple certificates, and you need to manually splice the server certificate with the intermediate certificate for uploading.

          Certificate chain format issued by intermediate institutions

          -----BEGIN CERTIFICATE-----

          -----END CERTIFICATE-----

          -----BEGIN CERTIFICATE-----

          -----END CERTIFICATE-----

          -----BEGIN CERTIFICATE-----

          -----END CERTIFICATE-----

          Splicing rules

          • Put the first copy of the server certificate and the second copy of the intermediate certificate, which are separated by a newline character, and have no blank line.
          • In general, the organizations provide corresponding instructions when they issue the certificate. Please see the Rule Description.

          It is shown in the figure below:

          image.png

          RSA Private Key Format Requirements

          The private key extension is generally ".pem" or ".key". Open the private key file in a text editor.

          Private key PEM format

          • The private key begins with BEGIN RSA PRIVATE KEY and ends with END RSA PRIVATE KEY.
          • The private key cannot be encrypted. That is, the password parameter cannot be added when executing the command to generate the private key.
          • The content in the middle includes 64 characters per line, and the last line can have a length of fewer than 64 characters.

          The figure shows an example of a private key in PEM format:

          image.png

          Consideration:

          If you get a private key starting with "-----BEGIN PRIVATE KEY-----" and ending with "-----END PRIVATE KEY-----", you need to use the OpenSSL tool to execute the following command for conversion. The command is shown in the figure below, and then the content of new_server_key.pem is uploaded together with the certificate.

          openssl rsa -in old_server_key.pem -out new_server_key.pem

          Certificate Format Conversion Mode

          The HTTPS configuration only supports certificates in PEM format. Certificates in other formats need to be converted to PEM format. It is recommended to use the OpenSSL tool for conversion. The following gives some popular methods for converting certificate format to PEM format.

          DER-to-PEM conversion

          The DER format generally appears in the Java platform.

          Certificate conversion:

          openssl x509 -inform der -in certificate.cer -out certificate.pem

          Private key conversion:

          openssl rsa -inform DER -outform PEM -in privatekey.der -out privatekey.pem

          P7B-to-PEM conversion

          The P7B format generally appears in Windows Server and Tomcat.

          Certificate conversion:

          openssl pkcs7 -print_certs -in incertificat.p7b -out outcertificate.cer

          You can open outcertificat.cer with a text editor to view the certificate contents in PEM format.

          Private key conversion: The private key can generally be exported in the IIS server.

          PFX-to-PEM conversion

          The PFX format generally appears in the Windows Server.

          Certificate conversion:

          openssl pkcs12 -in certname.pfx -nokeys -out cert.pem

          Private key conversion:

          openssl pkcs12 -in certname.pfx -nocerts -out key.pem -nodes

          For more FAQs and Certificate Management Instructions, refer to the documentation.

          Previous
          Resource Bill
          Next
          API Reference