How to convert PKCS#7 certificate into PEM on the NetScaler appliance?

How to convert PKCS#7 certificate into PEM on the NetScaler appliance?

book

Article ID: CTX217250

calendar_today

Updated On:

Description

This article explains/guides how we can convert PKCS# certificates into a PEM format

Instructions

  1. Copy the certificate to the appliance by using a secure copy utility, such as SCP.
  2. Convert the certificate (for example, cert.P7B ) to PEM format:
    > openssl pkcs7 -inform DER -in cert.p7b -print_certs -text -out cert.pem
Note:  If the PKCS#7 cert is already in PEM format you will omit the -inform switch 
 
  1. To make sure that the converted certificate is in correct x509 format, verify that the following command produces no error:
    root@ns# openssl x509 -in cert.PEM -text
  2. Verify that the certificate file contains a private key. Begin by issuing the following command:
    root@ns# cat cert.PEM
    Verify that the output file includes an RSA PRIVATE KEY section.
    -----BEGIN RSA PRIVATE KEY-----
     Mkm^s9KMs9023pz/s...
     -----END RSA PRIVATE KEY-----
    The following is another example of an RSA PRIVATE KEY section:
     Bag Attributes
    1.3.6.1.4.1.311.17.2: <No Values>
    localKeyID: 01 00 00 00
    Microsoft CSP Name: Microsoft RSA SChannel Cryptographic
    Provider
    friendlyName:
    4b9cef4cc8c9b849ff5c662fd3e0ef7e_76267e3e-6183-4d45-886e-6e067297b38f

    Key Attributes
    X509v3 Key Usage: 10
    -----BEGIN RSA PRIVATE KEY-----
    Proc-Type: 4,ENCRYPTED
    DEK-Info: DES-EDE3-CBC,43E7ACA5F4423968
    pZJ2SfsSVqMbRRf6ug37Clua5gY0Wld4frPIxFXyJquUHr31dilW5ta3hbIaQ+Rg

    ... (more random characters)
    v8dMugeRplkaH2Uwt/mWBk4t71Yv7GeHmcmjafK8H8iW80ooPO3D/ENV8X4U/tlh

    5eU6ky3WYZ1BTy6thxxLlwAullynVXZEflNLxq1oX+ZYl6djgjE3qg==
    -----END RSA PRIVATE KEY-----
    The following is a SERVER CERTIFICATE section:
    Bag Attributes
    localKeyID: 01 00 00 00
    friendlyName: AG Certificate
    subject=/C=AU/ST=NSW/L=Wanniassa/O=Dave Mother
    Asiapacific/OU=Support/CN=davemother.food.lan
    issuer=/DC=lan/DC=food/CN=hotdog
    -----BEGIN CERTIFICATE-----
    MIIFiTCCBHGgAwIBAgIKCGryDgAAAAAAHzANBgkqhkiG9w0BAQUFADA8MRMwEQYK

    ... (more random characters) 5pLDWYVHhLkA1pSxvFjNJHRSIydWHc5ltGyKqIUcBezVaXyel94pNSUYx07NpPV/

    MY2ovQyQZM8gGe3+lGFum0VHbv/y/gB9HhFesog=
    -----END CERTIFICATE-----
    The following is an INTERMEDIATE CA CERTIFICATE section:
    Bag Attributes: <Empty Attributes>
    subject=/DC=lan/DC=food/CN=hotdog
    issuer=/DC=lan/DC=food/CN=hotdog
    -----BEGIN CERTIFICATE-----
    MIIESDCCAzCgAwIBAgIQah20fCRYTY9LRXYMIRaKGjANBgkqhkiG9w0BAQUFADA8

    ... (more random characters) Nt0nksawDnbKo86rQcNnY5xUs7c7pj2zxj/IOsgNHUp5W6dDI9pQoqFFaDk=

    -----END CERTIFICATE-----
    Further Intermediate CA certificates may follow, depending on the certification path of the exported certificate.
  3. Open the .PEM file in a text editor
  4. Locate the first line of the .PEM file and the first instance of the following line, and copy those two lines and all the lines between them:
    -----END CERTIFICATE-----
    Note: Make sure that last copied line is the first -----END CERTIFICATE----- line in the .PEM file.
  5. Paste the copied lines into a new file. Call the new file something intuitive, such as cert-key.pem. This is the certificate-key pair for the server hosting the HTTPS service. This file should contain both the section labeled RSA PRIVATE KEY and the section labeled SERVER CERTIFICATE in the example above.
    Note: The certificate-key pair file contains the private key and must therefore be kept secure.
 

Other quick commands for certificate conversion:


PEM to DER

#openssl x509 -outform der -in cert.PEM -out cert.DER

 PEM to P7B

#openssl crl2pkcs7 -nocrl -certfile cert.CER -out cert.P7B -certfile CACert.cer

 PEM to PFX

#openssl pkcs12 -export -out cert.PFX -inkey privateKey.key -in certificate.crt -certfile CACert.crt


OpenSSL  DER
 DER to PEM

#openssl x509 -inform der -in cert.CER -out cert.PEM


 P7B to PEM

#openssl pkcs7 -print_certs -in cert.P7B -out cert.CER

 P7B to PFX

#openssl pkcs7 -print_certs -in cert.P7B -out cert.CER

#openssl pkcs12 -export -in cert.CER -inkey privateKey.key -out cert.PFX -certfile CACert.cer


 PFX to PEM

#openssl pkcs12 -in cert.PFX -out cert.CER -nodes

 

Environment

Citrix is not responsible for and does not endorse or accept any responsibility for the contents or your use of these third party Web sites. Citrix is providing these links to you only as a convenience, and the inclusion of any link does not imply endorsement by Citrix of the linked Web site. It is your responsibility to take precautions to ensure that whatever Web site you use is free of viruses or other harmful items.

Issue/Introduction

This article provides procedure to convert PKCS# certificates into a PEM format

Additional Information

http://support.citrix.com/proddocs/topic/ns-faq-map-10-5/ns-faq-ssl-ref.html
http://man.he.net/man1/pkcs7
https://www.openssl.org/docs/man1.0.2/apps/openssl.html
Powered by Wolken Software