Connect with us

Hi, what are you looking for?

Cisco IronPort

How to convert an SSL cert to a .pem for installation on Citrix and Cisco appliances

Often times you might have to add an SSL cert to a Cisco or Citrix appliance (like a Netscaler) but it only accepts the SSL cert and private key in a certain format.  Your CA (certificate authority) will issue the SSL cert to you as a .crt.  From there, you need to package the cert with the private key and in the format your appliance requires.  There are different ways to do this and one easy way I like is using IIS and OpenSSL which is a free open source tool and can be downloaded here:

1. Create a temporary site in IIS and generate a CSR.  Make sure the CN (common name) you enter matches whatever appliance you are trying to generate it for exmp:

2.  Submit the CSR to your CA such as Verisign, GoDaddy, Network Solutions, etc. and wait for them to validate and issue your cert.

3. Get the .crt from the CA once they issue it and convert it to .cer.  Just open the .crt by double clicking on it and and save it as .cer using the export wizard.  This is necessary since IIS does not accept .crt.



4. Install the .cer in IIS using the Web Server Certificate Wizard where you originally generated the CSR.  Just process the pending request to install it.

5. View the cert in IIS and export it with the private key in pkcs12 (.pfx) format.  Just set the password as “password” since you will be deleting it after conversion is complete later.

6. Go to the directory where OpenSSL.exe is and type in the following to convert the .pfx to a .pem

openssl pkcs12 -in nameofcert.pfx -out nameofcert.pem

7. Type the “password” when prompted for the pass phrase.

8. Install the .pem on the appliance and it should work


If you are doing it for some appliances like a Cisco IronPort, you need to add the nodes switch when creating the .pem:

openssl pkcs12 -in nameofcert.pfx -out nameofcert.pem –nodes

The –nodes switch ensures that the key inside the .pem is left unencrypted.  If you attempt to install a .pem created without the -nodes switch, the appliance will take the cert but will not accept the private key since it cannot read it in an encrypted state.



  1. robert langdon

    February 4, 2010 at 8:15 AM

    Hello all,
    I get the folowing results when I execute a curl command attempting to
    access a secure site:

    D:\cURL\ssl>curl -v –cacert mycert.pem -o test.txt
    * About to connect() to
    * Connected to ( port 443
    * SSL: error:00000000:lib(0):func(0):reason(0)
    * Closing connection #0
    curl: (35) SSL: error:00000000:lib(0):func(0):reason(0)


    I am using curl-7.10.3 ssl version under Win32.

    Here is how I generate mycert.pem from SSL certificate of web site
    (a) Open up using MSIE 5.5
    (b) Double click on the lock sign on MSIE status bar
    (c) Click on Details tab
    (d) Click on “Copy to File” button
    (e) Click on Next on Certificate Export Wizard window
    (f) Select “Base-64 encoded X.509 (.CER)” and then click on Next
    (g) Enter d:\mycert.cer into file name input area
    (h) Press Finish button to complete exporting certificate
    (i) and finally use openssl to generte mycert.pem file
    openssl x509 -in mycert.cer -outform PEM -out mycert.pem

    What am I doing wrong here? Can anybody tell me how to get .pem file
    from IIS or the secure site itself?

    By the way, when I turn off cURL’s certificate verification
    (by using -k option instead of –cacert), the above cURL command
    runs with no errors.

    Thanks a lot,

  2. Clement

    September 15, 2015 at 4:10 AM


    Whats the best way to convert .pem files from a Cisco ACE appliance to a usable .pem format for Netscaler 10.5.

    I keep running into “Not a server certificate” error on the Netscaler while binding the certificate (created using the .pem file) to an SSL service.


Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like


Today I would like to go over proper URL redirection when using SSL but first I would like to preface this by describing what...

Citrix Workspace

You can use FIDO2 hardware security keys plugged into your physical desktop over the Citrix HDX remoting protocol for use with virtualized Windows Desktop...

Exchange 2003

A useful Exchange 2003 guide I wrote for a friend’s blog originally but I am posting it here on mine now for your viewing...


In a worst case scenario and all your web servers have failed, what do you do? You could have a standby group of servers... began in 2008 as a way for me to give back to the IT community. This website features the latest news and how-to's on enterprise mobility, security, virtualization, cloud architecture, and other technologies I work with. This website has evolved over time to become a go-to reference hub for these technologies. It receives hundreds of thousands of unique visitors from all over the world each month. More details on the About Me page.
Copyright © 2008-2023