Baidu AI Cloud
中国站

百度智能云

Reference

Format Conversion

If the certificate received by the user from the CA is not in PEM format, it needs to be converted into PEM format. Several common methods for converting certificate formats to PEM format are shown in the following table:

Certificate format Conversion method
DER-> PEM Certificate: openssl x509 -inform der -in my-certificate.cer -out my-certificate.pem
private key: openssl rsa -inform DER -outform PEM -in my-private-key.der -out my-private-key.pem
P7B-> PEM Certificate: openssl pkcs7 -print_certs -in my-certificate.p7b -out my-certificate.pem. From my-certificate.pem, get the content starting with "----- BEGIN CERTIFICATE -----" and ending with "----- END CERTIFICATE -----" as the certificate.
Private key: No private key
PFX-> PEM Certificate: openssl pkcs12 -in certname.pfx -nokeys -out my-certificate.pem
private key: openssl pkcs12 -in certname.pfx -nocerts -out my-private-key.pem -nodes

Note:

  • If your private key is encrypted, for example, the beginning and end of the private key are ----- BEGIN PRIVATE KEY -----, ----- END PRIVATE KEY ----- or ---- -BEGIN ENCRYPTED PRIVATE KEY -----, ----- END ENCRYPTED PRIVATE KEY -----, or the private key contains Proc-Type: 4, ENCRYPTED, you need to run the following command to convert:

    openssl rsa -in old_server_key.pem -out new_server_key.pem
  • The private key needs to match the public key in the server certificate. You can use the following two commands to generate the MD5 value of the private key and the certificate. If they are the same, you can consider that the private key matches the public key in the certificate.

     openssl x509 -noout -modulus -in my-certificate.pem | openssl md5
     openssl rsa -noout -modulus -in my-private-key.pem | openssl md5
Previous
Certificate and Private Key
Next
Upload Certificate