SSL certificates and PKCS format

David Stevenson -

Since 4D v16 it is no longer necessary to create a single amalgamated cert.pem file containing the primary cert and all intermediate & root certificates (although that will still work).  However, 4D Server now loads ALL files with a .pem extension, so any old certificate files MUST be removed, only those relevant to the current certificate can be present in the database folder.

4D Server only accepts certificates in .pem format, and they must be in RSA PKCS format (PKCS 1).  Other .pem formats are available, such as PKCS 12, PKCS 8 or PKCS 7.  Most of these create encrypted keys, which 4D Server has no interface for supplying.  You can establish that PKCS 1 has been used by opening your key file - before the key itself will be a line that reads:


If you see


(or anything else) this means that a different pem format has been used in the certificate generation / extraction.  If the client has the pfx file they may be able to re-extract the certificate files in the correct format by use of OpenSSL, or they may be able to request new .pem files from their CA in the correct format.

In the case that the key file is not readable you may not get a certificate error, you may simply get server timeouts, bad gateway errors or other SSL error like RX TOO LONG - there is almost no telling what the symptoms will be, but do not assume that because there is no security warning, or address mis-match (like you expect when you connect to localhost) that the issue is not certificate-related.  If the certificate has been changed, it is the most likely culprit.

It is still that case that all intermediate and root certificates need to be present in the database folder.  They can be included in the amalgamated cert.pem, or they can be in separate .pem files.  It is normal practice to separate the key into a separate key.pem file.

An example of converting a pfx file to rsa is below (there may be other / better / simpler, but this is known to work):

openssl pkcs12 -in \somewhere\mycert.pfx -out \somewhere\mycert.pem -nodes -clcerts

This makes the pkcs8 format pem file from the pfx.  Then:

openssl rsa -in \somewhere\mycert.pem -out \somewhere\myRSAcert.pem


Have more questions? Submit a request


Please sign in to leave a comment.
Powered by Zendesk