Classic Load Balancer (CLB) only accepts PEM-formatted certificates. This page covers the format requirements for certificates and private keys, and the OpenSSL commands to convert DER, P7B, and PFX certificates to PEM.
Supported certificate types
CLB supports RSA certificates only. ECDSA (Elliptic Curve Digital Signature Algorithm) certificates are not supported.
| Algorithm | Supported key sizes |
|---|---|
| RSA | 1024, 2048, 4096 bits |
Certificate format requirements
PEM files are highly sensitive to formatting. A single extra space or incorrect character invalidates the certificate, certificate chain, or private key.
Root CA-issued certificates
If a root certificate authority (CA) issued your certificate directly, upload the certificate only — no chain is required.
Format requirements:
Start with
-----BEGIN CERTIFICATE-----and end with-----END CERTIFICATE-----64 characters per line (except the last line)
No spaces or blank lines
Intermediate CA-issued certificates
If an intermediate CA issued your certificate, upload the full certificate chain. Concatenate the certificates in this order:
Server certificate (your certificate)
Intermediate certificate(s)
Root certificate (optional, typically omitted)
Format requirements:
No blank lines between certificates
64 characters per line (per RFC 1421)
No spaces in certificate content
Example chain structure:
-----BEGIN CERTIFICATE-----
(server certificate)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(intermediate certificate)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(root certificate, optional)
-----END CERTIFICATE-----Private key requirements
When uploading a server certificate, also upload its private key.
CLB requires unencrypted PKCS#1 format private keys. The private key must:
Start with
-----BEGIN RSA PRIVATE KEY-----and end with-----END RSA PRIVATE KEY-----Have 64 characters per line (except the last line)
Contain no blank lines
Identify and convert your private key format
Check the header of your private key file to determine whether conversion is needed:
| Header | Format | Action |
|---|---|---|
-----BEGIN RSA PRIVATE KEY----- (no Proc-Type line) | PKCS#1, unencrypted | No conversion needed |
-----BEGIN PRIVATE KEY----- | PKCS#8, unencrypted | Convert to PKCS#1 |
-----BEGIN ENCRYPTED PRIVATE KEY----- | PKCS#8, encrypted | Decrypt and convert to PKCS#1 |
-----BEGIN RSA PRIVATE KEY----- + Proc-Type: 4,ENCRYPTED | PKCS#1, encrypted | Decrypt |
To convert to unencrypted PKCS#1:
openssl rsa -in old_server_key.pem -out new_server_key.pemIn OpenSSL 3.x, theopenssl rsacommand outputs PKCS#8 by default. Add the-traditionalflag to output PKCS#1:
openssl rsa -in old_server_key.pem -out new_server_key.pem -traditionalConvert certificate formats
DER to PEM
DER format is commonly used on Java platforms. File extensions are typically .der, .cer, or .crt.
Convert a certificate:
openssl x509 -inform der -in certificate.cer -out certificate.pemConvert a private key:
openssl rsa -inform DER -outform PEM -in privatekey.der -out privatekey.pemP7B to PEM
P7B format is commonly used on Windows Server and Tomcat.
Convert the certificate:
openssl pkcs7 -print_certs -in incertificate.p7b -out outcertificate.cerPFX to PEM
PFX format is commonly used on Windows Server.
Extract the certificate:
openssl pkcs12 -in certname.pfx -nokeys -out cert.pemExtract the private key:
openssl pkcs12 -in certname.pfx -nocerts -out key.pem -nodes