Cisco IronPort

How to convert an SSL cert to a .pem for installation on Citrix and Cisco appliances


Often times you might have to add an SSL cert to a Cisco or Citrix appliance (like a Netscaler) but it only accepts the SSL cert and private key in a certain format.  Your CA (certificate authority) will issue the SSL cert to you as a .crt.  From there, you need to package the cert with the private key and in the format your appliance requires.  There are different ways to do this and one easy way I like is using IIS and OpenSSL which is a free open source tool and can be downloaded here:

1. Create a temporary site in IIS and generate a CSR.  Make sure the CN (common name) you enter matches whatever appliance you are trying to generate it for exmp:

2.  Submit the CSR to your CA such as Verisign, GoDaddy, Network Solutions, etc. and wait for them to validate and issue your cert.

3. Get the .crt from the CA once they issue it and convert it to .cer.  Just open the .crt by double clicking on it and and save it as .cer using the export wizard.  This is necessary since IIS does not accept .crt.



4. Install the .cer in IIS using the Web Server Certificate Wizard where you originally generated the CSR.  Just process the pending request to install it.

5. View the cert in IIS and export it with the private key in pkcs12 (.pfx) format.  Just set the password as “password” since you will be deleting it after conversion is complete later.

6. Go to the directory where OpenSSL.exe is and type in the following to convert the .pfx to a .pem

openssl pkcs12 -in nameofcert.pfx -out nameofcert.pem

7. Type the “password” when prompted for the pass phrase.

8. Install the .pem on the appliance and it should work


If you are doing it for some appliances like a Cisco IronPort, you need to add the nodes switch when creating the .pem:

openssl pkcs12 -in nameofcert.pfx -out nameofcert.pem –nodes

The –nodes switch ensures that the key inside the .pem is left unencrypted.  If you attempt to install a .pem created without the -nodes switch, the appliance will take the cert but will not accept the private key since it cannot read it in an encrypted state.

About Jason Samuel

Jason Samuel lives in Houston, TX with a primary focus on strategic advisory and architecture of end-user computing, security, enterprise mobility, virtualization, and cloud technologies from Citrix, Microsoft, & VMware. He also has an extensive background in web architecture and networking over his 20+ year career in IT. He is an Author, Speaker, and Local User Group Community Leader. He is certified in several technologies and is 1 of 63 people globally that is a recipient of the prestigious Citrix Technology Professional (CTP) award. He is 1 of 42 people in the world that has been awarded as a VMware EUC Champion and VMware vExpert. He is a featured author on DABCC which provides the latest IT Community News on Cloud, Data Center, Desktop, Mobility, Security, Storage, & Virtualization. In his spare time Jason enjoys writing how-to articles and evangelizing the technologies he works with. Disclaimer: The content and opinions expressed in articles and posts are his own and are by no means associated with his employer.

Recommended for you


  1. robert langdon

    February 4, 2010 at 8:15 AM

    Hello all,
    I get the folowing results when I execute a curl command attempting to
    access a secure site:

    D:\cURL\ssl>curl -v –cacert mycert.pem -o test.txt
    * About to connect() to
    * Connected to ( port 443
    * SSL: error:00000000:lib(0):func(0):reason(0)
    * Closing connection #0
    curl: (35) SSL: error:00000000:lib(0):func(0):reason(0)


    I am using curl-7.10.3 ssl version under Win32.

    Here is how I generate mycert.pem from SSL certificate of web site
    (a) Open up using MSIE 5.5
    (b) Double click on the lock sign on MSIE status bar
    (c) Click on Details tab
    (d) Click on “Copy to File” button
    (e) Click on Next on Certificate Export Wizard window
    (f) Select “Base-64 encoded X.509 (.CER)” and then click on Next
    (g) Enter d:\mycert.cer into file name input area
    (h) Press Finish button to complete exporting certificate
    (i) and finally use openssl to generte mycert.pem file
    openssl x509 -in mycert.cer -outform PEM -out mycert.pem

    What am I doing wrong here? Can anybody tell me how to get .pem file
    from IIS or the secure site itself?

    By the way, when I turn off cURL’s certificate verification
    (by using -k option instead of –cacert), the above cURL command
    runs with no errors.

    Thanks a lot,

  2. Clement

    September 15, 2015 at 4:10 AM


    Whats the best way to convert .pem files from a Cisco ACE appliance to a usable .pem format for Netscaler 10.5.

    I keep running into “Not a server certificate” error on the Netscaler while binding the certificate (created using the .pem file) to an SSL service.


Leave a Reply

Your email address will not be published. Required fields are marked *