Multi-Certificate files

Typically, there is only one certificate in a file. OpenSSL generally assumes this is the case, so it ignores any after the first when handling server and client certificates.

PEM, PKCS7, and PKCS12 format files can contain multiple certificates. This is useful for storing a bundle of the root certificates of the CAs you trust, a certificate verification chain, or a complete endpoint identity within a single file. To create one of these files you need to concatenate the individual certificates into one file.

For PEM and PKCS7 files, concatenation can be performed by appending one file to another using a text editor. If required, you can split the original files using a text editor. You must ensure that you do not change the data for each individual certificate. Each certificate takes the following format and is terminated by an END CERTIFICATE line:

optional-header-info
------BEGIN optional-text CERTIFICATE-----
...
------END optional-text CERTIFICATE----- 

As long as you do not change or break up the data within the BEGIN and END lines, the certificate's integrity is maintained. A certificate is rendered useless if it does not maintain its binary composition from the point it was originally signed.

For PKCS12 files, you will need to use OpenSSL to perform the concatenation or splitting process. The number of certificate and key content in a PKCS12 file varies depending on its intended use. It can contain any or all of the following:

The most common PKCS12 variant is a file containing a single ID certificate, plus its associated signing CA Intermediate Certificate Authorities collection. Typically without the final CARoot certificate and the Private Key file that matches the Public Key held within the Identity Certificate. This enables the client to verify the identity of the possession of the single CARoot certificate, which is the only missing element from the whole chain of trust.

When creating a PKCS12 ID, Certificate Chain, and Private Key file, the file will typically be protected with its own password. Just as a Private Key file is typically protected with a password. As a result of this, when using a PKCS12 file, it is standard practice to require a Certificate Password and no Keyfile Password in system endpoint configuration options.

To generate such a certificate perform the following steps:

  1. Concatenate the PEM format certificates into a single PEM file. For example, you can name the file CertChainID.pem.
  2. Identify the private key file associated with the identity certificate in the chain, if any. For example, you can name the file PrivKey.pem, and specify its password as Passwd.
  3. Choose a password for the newly created PKCS12 file. For example, you can specify this as P12Passwd.
  4. Choose an output name for the PKCS12 file. For example, you can name the file CertChainID.p12.
  5. Identify the Common Name (CN) in the ID certificate in the chain. For example, you can specify this as CN_name.
  6. On the command line, type the following:
    openssl pkcs12 -export -in <CertChainID.pem> -inkey <PrivKey.pem> -passin pass <Passwd> -passout pass <P12Passwd> -out <CertChainID.p12> -name <CN_name>