A Muggles Guide to creating a PEM encoded SSL Certificate using OpenSSL

So we all know that SSL certificates are something out of the Dark Arts and unforgivable spells akin to the wizarding world of Harry Potter.

So the following is a quick post on how to take the certificate (.cer or .crt file) from the Certificate Authority CA, combine it with the RSA Private Key (.key file) and the Root CA Chain (another .cer/.crt file) to firstly create  the intermediate Personal Exchange Format (PFX) file and finally create the Privacy Enhanced Mail (PEM) File.

For the ease of this post, we’ll use the following naming conventions:

  • node.cer – the certificate for the end device/cluster
  • node.key – the RSA encrypted private key
  • rootca.cer – the Root CA certificate or CA Certificate Chain
  • node.pfx – the intermediate PFX certificate file
  • node.pem – the final PEM certificate file

The post also assumes you have OpenSSL running (in my case on Windows within the C:\OpenSSL-Win64 folder).

Creating the PFX Certficate File

Open a command prompt, navigate to the location of the certificate files on the windows server and then type the following:

C:\OpenSSL-Win64\bin\openssl.exe pkcs12 -export -in "node.cer" -inkey "node.key" -certfile "rootca.cer" -name "rui" -passout pass:ChangeMe! -out "node.pfx"

This will generate a node.pfx file which we will use to generate the PEM certificate.

Note: the password ChangeMe! should be changed to something sensibly long and difficult to remember.

Creating the PEM Certficate File

Open a command prompt, navigate to the location of the certificate files on the windows server and then type the following:

C:\OpenSSL-Win64\bin\openssl.exe pkcs12 -in "node.pfx" -inkey "node.key" -out "node.pem" -nodes -passin pass:ChangeMe!

This will generate a node.pem file which can then be used, as an example, to replace the VAMI certificate on a VMware Virtual Appliance such as vRealize Automation VA or vSphere Platform Services Controller.

Hope that helps the muggles of the world…

Leave a Reply