File Names for Certificates and Keys

For all parameters that specify the identity (digital certificate), private key, issuer (certificate chain), or trusted list of certificate authorities, valid files must be specified. Not all types of files are supported for clients and servers. The description of each parameter details which formats it supports.

The following table lists the valid types of files.

Extension Description
.pem PEM encoded certificates and keys (allows the certificate and private key to be stored together in the same file)
.der DER encoded certificates
.p8 PKCS#8 file
.p7b PKCS#7 file
.p12 PKCS12 file (allows the certificate and private key to be stored together in the same file)
.jks Java KeyStore file

Certificates are located in the EMS_HOME/samples/certs directory. EMS is installed with some sample certificates and private keys that are used by the sample configuration files.

The sample certificates include:

  • A root, self-signed certificate and corresponding private keys in encrypted PEM and PKCS8 formats:
        server_root.cert.pem
        server_root.key.pem
        server_root.key.p8
  • A server certificate and corresponding private keys in encrypted PEM and PKCS8 formats. This certificate is issued by server_root.cert.pem and is used by the server:
        server.cert.pem
        server.key.pem
        server.key.p8
  • A root, self-signed certificate and corresponding private key in encrypted PEM and PKCS8 formats.
        client_root.cert.pem
        client_root.key.pem
        client_root.key.p8
  • A client certificate and corresponding private key in encrypted PEM and PKCS8 formats. This certificate is issued by client_root.cert.pem and is used by the clients:
        client.cert.pem
        client.key.pem
        client.key.p8
  • A PKCS12 file that includes the client.cert.pem client certificate, the client.key.pem client private key, and the client_root.cert.pem issuer certificate:
        client_identity.p12
  • An identity file to be used with the --https-identity command line option for Central Administration, along with the corresponding self-signed root certificate to be used by web browsers connecting to Central Administration through HTTPS:
        emsca_https_identity.p12
        emsca_https_root.cert.pem