Multiple PEM Format Certificates

Restriction: This topic applies only when the Enterprise Server feature is enabled.

Normally there is only one certificate in a file. OpenSSL generally assumes this is the case, so it ignores any after the first when handling server and client certificates.

However, a file can contain multiple PEM and PKCS7 format certificates. This is useful for storing a bundle of the root certificates of the CAs you trust, or a certificate verification chain. To use the certificates, you will need to split the file into one file per certificate.

You can split the file using a text editor, but you must take care to not change the data for each individual certificate. Each certificate takes the following format and is terminated by the END CERTIFICATE line:

optional-header-info
------BEGIN optional-text CERTIFICATE-----
...
------END optional-text CERTIFICATE----- 

As long as you do not change or break up the data within the BEGIN and END lines, the certificate itself is complete. A certificate is rendered useless unless it retains its binary composition that was created when it was originally signed.