Edge Security Acceleration (ESA) supports only PEM-format certificates and private keys. Upload requirements vary depending on the certificate authority (CA).
Certificates issued by root CAs
Certificates issued by root CAs, such as Apache, IIS, NGINX, and Tomcat, are unique. ESA uses NGINX certificates, each of which contains a certificate file suffixed with .crt and a private key file suffixed with .key.
To view a certificate, open the NGINX folder and use a text editor to open the .crt file. The following figure shows an example.
Figure 1. Certificate in the PEM format 
Requirements for certificate upload
-
Upload the entire certificate content, starting with "-----BEGIN CERTIFICATE-----" and ending with "-----END CERTIFICATE-----".
-
Each line contains 64 characters, except for the last line, which can contain fewer than 64 characters.
Certificates issued by intermediate CAs
A certificate issued by an intermediate CA contains multiple certificates. To configure HTTPS, you must combine the intermediate certificates and the server certificate into a complete certificate before uploading it. The following figure shows an example.
Figure 2. A complete certificate in the PEM format
Format of certificate chains
Certificates issued by an intermediate CA use the following format:
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
Combination rules
Use a text editor to open all *.PEM certificate files. Place the server certificate first, followed by the intermediate certificates. No empty lines are allowed between certificates. The CA that issued the certificates may provide specific combination instructions.
Formats of RSA private keys
A private key file has the extension .pem or .key. To view the content, open the file in a text editor. The following figure shows an example.
Figure 3. Format of an RSA private key
Private key in the PEM format
-
The private key must start with "-----BEGIN RSA PRIVATE KEY-----" and end with "-----END RSA PRIVATE KEY-----".
-
Each line contains 64 characters, except for the last line, which can contain fewer than 64 characters.
Requirements for private key upload
Before you upload an RSA private key, run the openssl genrsa -out privateKey.pem 2048 command on your local machine to generate the privateKey.pem private key file.
-
The private key must start with "-----BEGIN RSA PRIVATE KEY-----" and end with "-----END RSA PRIVATE KEY-----".
-
Each line contains 64 characters, except for the last line, which can contain fewer than 64 characters.
If your private key starts with "-----BEGIN PRIVATE KEY-----" and ends with "-----END PRIVATE KEY-----", run the following OpenSSL command to convert the format. Then, upload the new_server_key.pem file along with the certificate.
openssl rsa -in old_server_key.pem -out new_server_key.pemConvert certificate formats
HTTPS supports only PEM certificates. If your certificates are in a different format, convert them to PEM by using OpenSSL.
-
The CRT extension stands for certificate. A CRT file may already be in PEM or DER format. Verify the current format before converting.
-
PEM is a text-based format that starts with " -----BEGIN ***-----" and ends with "-----END ***-----", with Base64-encoded content between these lines. Both certificates and private keys can use this format. Private key files in PEM format use the
.keyextension.
-
Convert a certificate from DER to PEM
The DER format is typically used in Java environments.
-
Convert the certificate format:
openssl x509 -inform der -in certificate.cer -out certificate.pem -
Convert the private key format:
openssl rsa -inform DER -outform pem -in privatekey.der -out privatekey.pem
-
-
Convert a certificate from P7B to PEM
The P7B format is typically used for Windows Server and Tomcat.
-
Convert the certificate format:
openssl pkcs7 -print_certs -in incertificat.p7b -out outcertificate.cerOpen the
outcertificate.cerfile, then copy and upload the content between "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----". -
Convert the private key format:
P7B certificates do not include a private key. When you configure a P7B certificate in the ESA console, you only need to provide the certificate content.
-
-
Convert a certificate from PFX to PEM
The PFX format is typically used for Windows Server.
-
Convert the certificate format:
openssl pkcs12 -in certname.pfx -nokeys -out cert.pem -
Convert the private key format:
openssl pkcs12 -in certname.pfx -nocerts -out key.pem -nodes
-