You are located in service: Public Key Certificates

Integrate the Server Certificate

Integrate the Server Certificate

Receipt of the server certificate

  • We assume you are using certificates from the GÈANT/TCS PKI in the following descriptions.
  • You will receive a digitally signed e-mail (from "") that the server certificate has been issued.
  • If you had used to submit your certificate signing request, then you can also download your certificate there. You have three download options:
    • just the SSL-Certificate
    • SSL-Certificate and Certificate Chain (1. ssl-cert, 2. intermediate-cert, 3. intermediate-cert)
    • Certificate Chain only (1. intermediate-cert, 2. intermediate-cert)
    • the Root Certificate (Built-in-Token) is not available for download
    • Which certificate chain applies, depends on your chosen cryptographic key algorithm (RSA or ECC) and the chosen path of CSR-submission, so be wary of using the correct certificate chain.

Integration of the server certificate

You need:

  • the received certificate file
  • the generated and saved cryptographic key pair file (private.pem)
  • the appropriate certificate chain.

Depending on the server software used, these files may need to be converted into other formats.

  • Convert from DER to PEM: openssl x509 -in cert.crt -inform der -outform pem -out cert.pem
  • Convert from PEM to DER: openssl x509 -in cert.pem -inform pem -outform der -out cert.crt


Apache uses PEM formatted key parts, so you can easily integrate your key parts.

In the "httpd.conf" the following points are especially important:

  • SSLCertificateFile: Your server certificate
  • SSLCertificateKeyFile: Your private key part
  • SSLCertificateChainFile: The complete certificate chain as PEM formatted file


Like Apache, lighttpd uses key components in PEM format.

In the configuration, the following points are particularly important:

  • ssl.engine = "enable"
  • ssl.pemfile: Combination of
    • the private key part ("private.pem")
    • and the server certificate
    • combine them e.g. via "cat private.pem cert-<serial number>.pem > server.pem"
  • The complete certificate chain as PEM formatted file

Microsoft IIS

In order to use your certificate, you must create a "pkcs12" file from your private key part and your server certificate. This can be done with OpenSSL:

openssl pkcs12 -export -in cert-<Seriennummer>.pem –inkey private.pem -out Ihre_neue_PKCS12_Datei.p12 -name "My Certificate"

  • Use the server certificate issued by thePKI as "cert-<serial number>.pem".
  • The file "private.pem" must correspond to your private key part.
  • The newly created file "Your_new_PKCS12_file.p12" can then be imported into your server software.

You will need to configure your server to use the downloaded intermediate certificates. For further details, check out the available online Microsoft Documentation.


last changed on 01/09/2023

How did this content help you?

Creative Commons Lizenzvertrag
This work is licensed under a Creative Commons Attribution - Share Alike 3.0 Germany License