Forum Discussion

NzYme_68513's avatar
Icon for Nimbostratus rankNimbostratus
Apr 13, 2011

.pem format has to be used for SSL offload?

Trying to setup test scenario for CAS server load balancing on our F5 LTM. We created a test domain with a CA server. We created certificate(.cer) but according to the deployment .pdf for exchange 2010 it has be in .pem format. Does anyone know if it HAS to be in a .pem format? Why can't I just import the .cer file?


3 Replies

  • In 10.2 or so, you can import a PKCS7 cert/key via the SSL certificates page in the GUI. They'll be converted to PEM format. Is your .cer cert/key a DER format? If so, you can use openssl on LTM or off the box to convert:





    openssl x509 -inform der -in certificate.cer -out certificate.pem





    openssl pkcs12 -in certificate.pfx -nodes -out certificate.pem



    For more info, you can search on for convert certificate or search online for openssl convert certificate.



    If you'd like to see the GUI handle this more gracefully, you could open a case with F5 Support and request an enhancement.



  • Hi Aaron,



    Does 10.2 support PKCS7? Do I misremember or isn't document updated?



    sol6549: Converting PKCS certificates to PEM format for use with the BIG-IP




  • We actually support importing of PKCS12 certs in the GUI from 10.1.0. To convert a PCKS7 or DER archive to PEM format you can use openssl and then import via the GUI or copy the files to /config/ssl/ssl.crt/ and /config/ssl/ssl.key/.