When you purchase a security certificate (typically, an SSL certificate), your certificate authority is supposed to send you the certificate – which is nothing but a bunch of files that includes a CA server certificate, intermediate certificate, and the private key. Note: You will not need your SSL certificate for this exercise. A .pem file is a container format that may just include the public certificate or the entire certificate chain (private key, public key, root certificates): Private Key; Server Certificate (crt, puplic key) (optional) Intermediate CA and/or bundles if signed by a 3rd party; How to create a self-signed PEM file Once this is done, click File -> Save As and save this new bundle file and ensure to add ‘.crt’ without the quotes at the end of the new filename. Read instructions on how to create different .pem files for three different scenarios. The root certificate is never included in the chain. 2. GUI Text Editor 1. 3. EDIT: Reddit user zerouid mentioned that the order of the PEM certificates in the file matters for some older versions of Java. A certificate file must contain the full chain – root CA , intermediate CA, and the origin server certificates. Choose Computer account to manage the certificate and click Next. Up to four optional intermediate certificates, given to smaller certificate authorities by higher authorities. Use the Root CA key cakey.pem to create a Root CA certificate cacert.pem; Give the root certificate a long expiry date. This is similar to the steps above for generating intermediate certificate. (note you will need to repeat this step for all the intermediate certificates that are sent to you.) (Remember, not your domain certificate.) openssl crl2pkcs7 -nocrl -certfile server.pem -certfile int.pem -certfile root.pem -out server_chain.p7b openssl pkcs7 -print_certs -in server_chain.p7b -out server_chain.pem. Importing the root and/or intermediate certificates on the NetScaler. Root and intermediate certificates can usually be downloaded from the Certificate Authority as a single certificate PEM or DER encoded file. See this stack-o answer, quoted here: A .pem format certificate will most likely be ASCII-readable. The following Ruby-script will split the bundle (with one or more certificates in it) into files named after the hashes -- side-stepping the c_rehash step in most cases.. To use, cd into the right directory (such as /etc/ssl/certs/) and run the script with the path to your certificate bundle as the sole argument.For example: ruby /tmp/split-certificates.rb ca-root-nss.crt. 4. In the Certificate Backup section, enter the desired Passphrase twice. Example: Intermediate 3, Intermediate 2, Intermediate 1, Root Certificate. This process can play out several times, where an intermediate root signs another intermediate and then a CA uses that to sign certificate. To combine them, simply copy the contents inside of the root certificate and paste it into a new line at the bottom of the intermediate certificate file. OpenSSL create certificate chain requires Root and Intermediate Certificate. The only exception is the Microsoft IIS download, which is in PKCS#7/P7B format. A PEM Certificate File is… Before we answer this question, let us tell you something. The Purpose of this page is to provide further information regarding how to convert the certificates from a .p7b file into Base64 (.cer) format so it can be successfully imported into a PSE.. Overview. Purpose. openssl x509 -inform der -in certificate.cer -out certificate.pem If your certificate is exported with Base64 encoding, then rename the extension .cer to .pem. in reverse of the issuing order). We'll set up our own root CA. This passphrase will be needed when restoring the backup. We have all the 3 certificates in the chain of trust and we can validate them with $ openssl verify -verbose -CAfile root.pem -untrusted intermediate.pem server.pem server.pem: OK The file is already in .pem format. So, to be on the safe side make sure to put the key first (when applicable), then the certificate, then the intermediate, and finally the root certificate. A .pem file is a container format that may just include the public certificate or the entire certificate chain (private key, public key, root certificates): Private Key; Server Certificate (crt, puplic key) (optional) Intermediate CA and/or bundles if signed by a 3rd party Basically work your way up the chain to the root certificate. Step 8 – Generate the certificate chain cat node1.pem int1.pem > chain.pem Concatenate all the intermediate and node certificates in the correct order. These files are usually not password protected. Installing Intermediate Certificates. An intermediate root serves as a link in the chain of trust, helping SSL certificates to chain back to roots. The MMC is now loaded with the Certificates snap-in.