CTX213224
Article | {{likeCount}} found this helpful | Created: {{articleFormattedCreatedDate}} | Modified: {{articleFormattedModifiedDate}}
Objective
This article explains the different formats of the SSL certificates and demonstrates how to upload the certificates to NetScaler.
Use Case
Ramesh wants to communicate in a secure manner using certificates provided by different Certificate Authorities(CA) which can be of different formats(PEM, DER, PFX). Ramesh should be able to use these certificates of different format for his secure communication.
Secure communication is one of the important requirements for enterprises and telcos, where they want to provide their customers/users with safe, secure environment.
However there are many culprits with malice intentions to steal your identity which can lead to a fortune for them and can be destructive for the users who lost their identity. To prevent this, certificates are used for security and identification. A certificate is an electronic document that contains data fields. If you were to compare a digital certificate with a traditional physical certificate, you will find many similarities. In a traditional certificate, say for e.g. a college degree certificate, we can see who has issued the certificate and to whom it was issued and can use it. Similarly a digital certificate will contain information on who issued the certificate and who can use this certificate.
Additionally a certificate contains validity information, indicating the period for which the certificate is valid, a public key and a digital signature which is just like a wax seal on the traditional physical certificate.
There are many well recognized Certificate Authorities(CA) who can issue certificates. Some of the well- known certificate authorities are Verisign, GoDaddy, GlobalSign, Digicert, StartCom, Trustwave, Secom etc. These Certificate Authorities can issue certificate in the below mentioned formats,
- PEM - Privacy Enhanced Mail
- DER - Distinguished Encoding Rule
- PFX - Personal Information Exchange
Instructions
Formats and description of each format
- PEM Format
- DER Format
- PKCS#7
- PFX Format (PKCS#12)
PEM Format
PEM is the most common format in which Certificate Authorities (CA) issue certificates. These are more widely used by Unix/Linux users.
If you see "Proc-type" present in a PEM format certificate it means that it is encrypted and these are called as base-64 encoded DER certificates.
The public part of the certificate will be represented in“—–BEGIN PUBLIC KEY—–” and “—–END PUBLIC KEY—–“
Whereas the private part of the certificate will be represented in“—–BEGIN RSA PRIVATE KEY—–” and “—–END RSA PRIVATE KEY—–“.
PEM format can contain any or all of the client/server certificate, intermediate certificate, root CA and the private key.
- They are Base64 encoded ASCII files
- They have extensions such as .pem, .crt, .cer, .key
- Apache and similar servers uses PEM format certificates
DER Format
DER is a Binary form of ASCII PEM format certificate. All types of Certificates & Private Keys can be encoded in DER format.
This format supports storage of single certificate and does not include private key for the intermediate/root CA.
- They are Binary format files
- They have extensions .cer and .der
DER is typically used in Java platform
PKCS#7
This format contains only certificate or certificate chain but does not store the private key.
This format is usually used by CA's to provide certificate chains to users.
PFX Format (PKCS#12)
PFX is a format for storing a server certificate or any intermediate certificate along with private key in one encrypted file. PFX follows Public Key Cryptography Standard(PKCS). The term PFX is used interchangeably with PKCS#12.
To upload PFX files on NetScaler, refer to guide: How do I upload PFX certificates on NetScaler?
Steps to import PEM/DER certificate on NetScaler
Steps to import PEM and DER certificates are the same. The following steps has to be followed to use PEM/DER certificates on NetScaler.
Step1: Navigate to Configuration -> SSL -> Certificates
Step2: Install Certificate
-
Certificate-Key Pair Name indicates the name to be used for the certificate
-
Certificate File Name indicates the name of the certificate received from CA and uploaded by
the administrator
-
Key File Name is the name of the public key generated along with the certificate and uploaded
by the administrator
If the certificate and key are in the same file, then same file has to be uploaded in Certificate File Name and Key File Name for it to be used. PFX files with certificate and key in the same file can be handled in the same way.
This SSL certificate that is created can be bound to a vserver.