Certificate formats

Last Updated: Sep 11, 2017

Server Load Balancer only supports certificates in the PEM format. The certificate, certificate chain, and private key must conform to the rules described in this section.

Certificate issued by a root CA

If a certificate is issued by a root CA, the certificate is the only certificate to be uploaded to Server Load Balancer. You no longer need to do any other configuration.

The certificate must conform to the following rules:

  • The certificate content is placed between a - - - - - BEGIN CERTIFICATE - - - - - header and a - - - - - END CERTIFICATE - - - - - footer. Include the header and footer when uploading the certificate.

  • Each line except the last must contain exactly 64 characters. The last line can contain 64 or fewer characters.

  • Space is not allowed in the content.

The following is a sample certificate issued by a root CA.

Certificate issued by an intermediate CA

If a certificate is issued by an intermediate CA, you will obtain multiple intermediate certificates.

Conform to the following rules when adding intermediate certificates:

  • Put the server certificate in the first place and the intermediate certificates in the second place without any space.

  • Each line except the last must contain exactly 64 characters. The last line must contain 64 or fewer characters.

  • Space is not allowed in the content.

  • Conform to the certificate requirements as described in the certificate description.

The following is a sample certificate chain.

  1. - - - - - BEGIN CERTIFICATE - - - - -
  2. - - - - - END CERTIFICATE - - - - -
  3. - - - - - BEGIN CERTIFICATE - - - - -
  4. - - - - - END CERTIFICATE - - - - -
  5. - - - - - BEGIN CERTIFICATE - - - - -
  6. - - - - - END CERTIFICATE - - - - -

RSA private key

The private key to be uploaded along with the server certificate must conform to the following rules:

  • The key is placed between a - - - - - BEGIN RSA PRIVATE KEY- - - - - - header and a - - - - - END RSA PRIVATE KEY- - - - - - footer. Include the header and footer when uploading the key.

  • Each line except the last must contain exactly 64 characters. The last line can contain 64 or fewer characters.

Note: If a private key is encrypted. That is, the header and footer are [- - - - - BEGIN PRIVATE KEY - - - - -, - - - - - END PRIVATE KEY - - - - -] or [- - - - - BEGIN ENCRYPTED PRIVATE KEY - - - - -, - - - - - END ENCRYPTED PRIVATE KEY - - - - -], or the private key contains Proc-Type: 4,ENCRYPTED, run the following command to convert the private key before uploading it to Server Load Balancer:

  1. openssl rsa -in old_server_key.pem -out new_server_key.pem

The following is a sample RSA private key.

Thank you! We've received your feedback.