A “Privacy Enhanced Mail” (PEM) file is just a concatenated chain of certificates and is the easiest way to install a signed SSL certificate for use by tomcat or haproxy. PEM files are used in certificate installations when multiple certificates are needed to form a complete chain of trust that ends in the CA (Certificate Authority) certificate. There is no magic in a .pem file. It is just a file that can include the entire certificate chain (private key, public key, root certificates).
Create a self-signed .pem file
openssl req -newkey rsa:2048 -new -nodes -x509 -days 3650 -keyout key.pem -out cert.pem
Create a .pem file for a signed cert
This example assumes you already have a signed certificate made up of 3 files (if using a self signed cert, you might not have the ca-bundle.crt
).
- private.key
- server.crt
- ca-bundle.crt
To create a pem file, combine the private key, public certificate and any 3rd party intermediate certificate files. The order of the file inclusion is important and starts with the private key, followed by the signed cert and then finally the third party certificates. The last cert that should be added is the final CA cert.
cat private.key > my-server.pem
cat server.crt >> my-server.pem
cat ca-bundle.crt >> my-server.pem
Note: Repeat the last step as needed for multiple third-party certificate chain files.