To protect HTTPS websites, the certificate used by these websites needs to be uploaded to NSFOCUS WAF. These certificates may be in different formats, such as .pfx, .crt, and .pem. NSFOCUS WAF, however, supports .cer certificates only. Therefore, the customer needs to extract the certificate information and private key from the original certificate file and then splice them to produce a new .cer certificate instead of just changing the file name extension to .cer. An incorrect .cer certificate would cause NSFOCUS WAF to work improperly and be unable to access the website.
Tips: A .pfx, .crt, or .pem certificate can be converted to a .cer certificate with OpenSSL. For conversion of certificates in other formats, please contact NSFOCUS Technical Support Team (email: email@example.com).
1. .pfx to .pem:
A .pfx file cannot be directly converted to .crt. You need to first convert it to the .pem format. Run the following command:
openssl pkcs12 -in xxx.pfx -nodes -out server.pem
2. .pem to .crt:
Run the following commands to extract the website certificate (.crt) and private key from the .pem certificate:
openssl x509 -in server.pem -out server.crt
openssl rsa -in server.pem -out server.key
3. .crt to .cer:
.crt and .key files, which are readable, can be opened with Notepad. Copy the original certificate and private key and paste them to a new .cer file. Splice the contents in strict accordance with this sequence: website certificate >CA certificate > root certificate > private key.
Tips: A complete website certificate may consist of only one .crt file or multiple .crt files. In the latter case, contents of all these .crt files should be copied and pasted to the new .cer file to ensure the integrity of the certificate chain.
After certificate splicing is complete, verify that the certificate chain of the current .cer file is intact, with nothing necessary missing.
To upload a certificate on NSFOCUS WAF, follow these steps:
1. Choose Security Management >Uploaded File Management > SSL Certificate Management.
2. Click Import in the upper-right corner of the page.
3. Browse to the certificate file, click Open, and then click OK.
Tips: If the certificate file fails to be uploaded, check whether the certificate chain is intact.