All Products
Search
Document Center

Server Load Balancer:Certificate requirements and format conversion

Last Updated:Apr 01, 2026

Classic Load Balancer (CLB) only accepts PEM-formatted certificates. This page covers the format requirements for certificates and private keys, and the OpenSSL commands to convert DER, P7B, and PFX certificates to PEM.

Supported certificate types

CLB supports RSA certificates only. ECDSA (Elliptic Curve Digital Signature Algorithm) certificates are not supported.

AlgorithmSupported key sizes
RSA1024, 2048, 4096 bits

Certificate format requirements

PEM files are highly sensitive to formatting. A single extra space or incorrect character invalidates the certificate, certificate chain, or private key.

Root CA-issued certificates

If a root certificate authority (CA) issued your certificate directly, upload the certificate only — no chain is required.

Format requirements:

  • Start with -----BEGIN CERTIFICATE----- and end with -----END CERTIFICATE-----

  • 64 characters per line (except the last line)

  • No spaces or blank lines

Intermediate CA-issued certificates

If an intermediate CA issued your certificate, upload the full certificate chain. Concatenate the certificates in this order:

  1. Server certificate (your certificate)

  2. Intermediate certificate(s)

  3. Root certificate (optional, typically omitted)

Format requirements:

  • No blank lines between certificates

  • 64 characters per line (per RFC 1421)

  • No spaces in certificate content

Example chain structure:

-----BEGIN CERTIFICATE-----
(server certificate)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(intermediate certificate)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(root certificate, optional)
-----END CERTIFICATE-----

Private key requirements

When uploading a server certificate, also upload its private key.

CLB requires unencrypted PKCS#1 format private keys. The private key must:

  • Start with -----BEGIN RSA PRIVATE KEY----- and end with -----END RSA PRIVATE KEY-----

  • Have 64 characters per line (except the last line)

  • Contain no blank lines

Identify and convert your private key format

Check the header of your private key file to determine whether conversion is needed:

HeaderFormatAction
-----BEGIN RSA PRIVATE KEY----- (no Proc-Type line)PKCS#1, unencryptedNo conversion needed
-----BEGIN PRIVATE KEY-----PKCS#8, unencryptedConvert to PKCS#1
-----BEGIN ENCRYPTED PRIVATE KEY-----PKCS#8, encryptedDecrypt and convert to PKCS#1
-----BEGIN RSA PRIVATE KEY----- + Proc-Type: 4,ENCRYPTEDPKCS#1, encryptedDecrypt

To convert to unencrypted PKCS#1:

openssl rsa -in old_server_key.pem -out new_server_key.pem
In OpenSSL 3.x, the openssl rsa command outputs PKCS#8 by default. Add the -traditional flag to output PKCS#1:
openssl rsa -in old_server_key.pem -out new_server_key.pem -traditional

Convert certificate formats

DER to PEM

DER format is commonly used on Java platforms. File extensions are typically .der, .cer, or .crt.

Convert a certificate:

openssl x509 -inform der -in certificate.cer -out certificate.pem

Convert a private key:

openssl rsa -inform DER -outform PEM -in privatekey.der -out privatekey.pem

P7B to PEM

P7B format is commonly used on Windows Server and Tomcat.

Convert the certificate:

openssl pkcs7 -print_certs -in incertificate.p7b -out outcertificate.cer

PFX to PEM

PFX format is commonly used on Windows Server.

Extract the certificate:

openssl pkcs12 -in certname.pfx -nokeys -out cert.pem

Extract the private key:

openssl pkcs12 -in certname.pfx -nocerts -out key.pem -nodes

What's next