Understanding a certificate PEM file

Issue

Unsure whether a certificate is in the required PEM file format and what fields it includes to ensure the correct file is installed on the correct server.

Sample of certificate

-----BEGIN CERTIFICATE-----
MIIF+TCCBOGgAwIBAgIRAOUXUXsbB/LpS0VTQsz/HFcwDQYJKoZIhvcNAQELBQAw
gY8xCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAO
BgNVBAcTB1NhbGZvcmQxGDAWBgNVBAoTD1NlY3RpZ28gTGltaXRlZDE3MDUGA1UE
AxMuU2VjdGlnbyBSU0EgRG9tYWluIFZhbGlkYXRpb24gU2VjdXJlIFNlcnZlciBD
QTAeFw0xOTAxMTcwMDAwMDBaFw0xOTA0MTcyMzU5NTlaMFAxITAfBgNVBAsTGERv
bWFpbiBDb250cm9sIFZhbGlkYXRlZDERMA8GA1UECxMIRnJlZSBTU0wxGDAWBgNV
BAMTD3dlYi1zZWN1cml0eS5jejCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
ggEBAMNC5twUz78YyvW9Y+avpBZLZjGFLZbNZN3tukWL/1wuwLUrhuCju1IDXWnJ
a7vu4IFA/m/fgD68Y+I6BEF/tdw94TGc/X0n+Q326ZB3ff8e5+GF2o2oXQCUEX60
wGv17zIx8jCYZtaP9rWekUzWmkNPagImboWeYSLWkt7GvdJCU7VY8kpKm7Y/JF/P
Qs4Z5+d4HMsfknJ+PofI7Ve3wT0aPE4aiQ3+MWryxcnZYzH7xNpeB7UbkfFIeDki
4X1vkVFM2Do07IkY9dO8d0UNI3lDDJDpxCCW4kVOl8yQTRtmyPZmtXk5uoyFcCEh
KP5/T2gxNr9KNzIornE0F7LZfpMCAwEAAaOCAowwggKIMB8GA1UdIwQYMBaAFI2M
XsRUrYrhd+mb+ZsF4bgBjWHhMB0GA1UdDgQWBBSHdiVoz7sMpYkdFsQWYHoMcJZU
IzAOBgNVHQ8BAf8EBAMCBaAwDAYDVR0TAQH/BAIwADAdBgNVHSUEFjAUBggrBgEF
BQcDAQYIKwYBBQUHAwIwSQYDVR0gBEIwQDA0BgsrBgEEAbIxAQICBzAlMCMGCCsG
AQUFBwIBFhdodHRwczovL3NlY3RpZ28uY29tL0NQUzAIBgZngQwBAgEwgYQGCCsG
AQUFBwEBBHgwdjBPBggrBgEFBQcwAoZDaHR0cDovL2NydC5zZWN0aWdvLmNvbS9T
ZWN0aWdvUlNBRG9tYWluVmFsaWRhdGlvblNlY3VyZVNlcnZlckNBLmNydDAjBggr
BgEFBQcwAYYXaHR0cDovL29jc3Auc2VjdGlnby5jb20wLwYDVR0RBCgwJoIPd2Vi
LXNlY3VyaXR5LmN6ghN3d3cud2ViLXNlY3VyaXR5LmN6MIIBBAYKKwYBBAHWeQIE
AgSB9QSB8gDwAHYAu9nfvB+KcbWTlCOXqpJ7RzhXlQqrUugakJZkNo4e0YUAAAFo
Ww+ePQAABAMARzBFAiEAtZoULgmDyEppYK9nmDWNRjRGcE+BBo/DLaaoaYWg7C8C
IH+0UCda6Txcl05inAsMpzlePELyZ3hawgEdmMugK3bXAHYAdH7agzGtMxCRIZzO
JU9CcMK//V5CIAjGNzV55hB7zFYAAAFoWw+eiwAABAMARzBFAiEAmdEbql+1pWWf
HmpkY34JziCOQzaDlFVtUFen+blgIWwCIBVnwDD3vnwSsrO2T5Clo5Pjqa+xxU7O
trLo/ZRGkICBMA0GCSqGSIb3DQEBCwUAA4IBAQAzOM9lS3RSU7rLy8T3BfixHvua
ErZ+YOHCHpYhlCeSuFZ66jVHueYWvgfF8A+enRdMM0k0z0PC9enREnumNDq3msCf
WYhSLd5lDXiEddg2GCrXkwhOFfOiG0tywS5CD+hLsTq1LQkWDQg7EKlIb6ddhaZO
IYEQ9xwE7aehynQEvAjv3UyevMYfvw7glY+MW5bkMfsxPndDD1gDbnYt8kyenjcv
odjnkvTw4ngnCy1gF9mVWkgQsE1j34FER1bVtR/FlspI0FB+ogV4Qhso1N23DwtF
VDKxH8p+ddYh1LX4b6Oy3dZqzt4HOcunPKsFv36ABpeTs8FPOjgQueTWfHQ4
-----END CERTIFICATE-----

Product Line

EcoStruxure Building Operation

Environment

• Building Operation Enterprise Central
• Building Operation Enterprise Server
• Building Operation Automation Server
• Building Operation Edge Server

Cause

A third party provides the certificate files and can have names different from the server installed on and in different formats.

Resolution

1. Open the file with a text editor (as seen above in the Issue section).
   1. PEM files can include a header or footer that could help identify the certificate. The example above does not.
   2. The body has a beginning and ending to describe its contents.
      1. —–BEGIN CERTIFICATE REQUEST—– and —–END CERTIFICATE REQUEST—– show a CSR in PEM format.
      2. —–BEGIN RSA PRIVATE KEY—– and —–END RSA PRIVATE KEY—– show a private key in PEM format.
      3. —–BEGIN CERTIFICATE—– and —–END CERTIFICATE—– show a certificate file in PEM format.

      4. The format would look like this if the PEM file included the SSL certificate chain.

         —–BEGIN CERTIFICATE—–
         //end-user
         —–END CERTIFICATE—–
         —–BEGIN CERTIFICATE—–
         //intermediate
         —–END CERTIFICATE—–
         —–BEGIN CERTIFICATE—–
         //root
         —–END CERTIFICATE—–

      5. NOTE: There must be a blank line after the END is defined.
2. Ensure there is only one certificate in the file to examine. You may have to copy the file multiple times, open each one, and retain only one per file.
3. Open Command Prompt and find a copy of OpenSSL installed on the machine. OpenSSL installed with EBO
4. Use the following command, where server.pem is the file and file type you are inspecting.

   openssl.exe x509 -in server.pem -text -noout​

5. Example output from sample above. 

   Certificate:
       Data:
           Version: 3 (0x2)
           Serial Number:
               e5:17:51:7b:1b:07:f2:e9:4b:45:53:42:cc:ff:1c:57
           Signature Algorithm: sha256WithRSAEncryption
           Issuer: C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
           Validity
               Not Before: Jan 17 00:00:00 2019 GMT
               Not After : Apr 17 23:59:59 2019 GMT
           Subject: OU = Domain Control Validated, OU = Free SSL, CN = web-security.cz
           Subject Public Key Info:
               Public Key Algorithm: rsaEncryption
                   RSA Public-Key: (2048 bit)
                   Modulus:
                       00:c3:42:e6:dc:14:cf:bf:18:ca:f5:bd:63:e6:af:
                       a4:16:4b:66:31:85:2d:96:cd:64:dd:ed:ba:45:8b:
                       ff:5c:2e:c0:b5:2b:86:e0:a3:bb:52:03:5d:69:c9:
                       6b:bb:ee:e0:81:40:fe:6f:df:80:3e:bc:63:e2:3a:
                       04:41:7f:b5:dc:3d:e1:31:9c:fd:7d:27:f9:0d:f6:
                       e9:90:77:7d:ff:1e:e7:e1:85:da:8d:a8:5d:00:94:
                       11:7e:b4:c0:6b:f5:ef:32:31:f2:30:98:66:d6:8f:
                       f6:b5:9e:91:4c:d6:9a:43:4f:6a:02:26:6e:85:9e:
                       61:22:d6:92:de:c6:bd:d2:42:53:b5:58:f2:4a:4a:
                       9b:b6:3f:24:5f:cf:42:ce:19:e7:e7:78:1c:cb:1f:
                       92:72:7e:3e:87:c8:ed:57:b7:c1:3d:1a:3c:4e:1a:
                       89:0d:fe:31:6a:f2:c5:c9:d9:63:31:fb:c4:da:5e:
                       07:b5:1b:91:f1:48:78:39:22:e1:7d:6f:91:51:4c:
                       d8:3a:34:ec:89:18:f5:d3:bc:77:45:0d:23:79:43:
                       0c:90:e9:c4:20:96:e2:45:4e:97:cc:90:4d:1b:66:
                       c8:f6:66:b5:79:39:ba:8c:85:70:21:21:28:fe:7f:
                       4f:68:31:36:bf:4a:37:32:28:ae:71:34:17:b2:d9:
                       7e:93
                   Exponent: 65537 (0x10001)
           X509v3 extensions:
               X509v3 Authority Key Identifier:
                   keyid:8D:8C:5E:C4:54:AD:8A:E1:77:E9:9B:F9:9B:05:E1:B8:01:8D:61:E1
   
               X509v3 Subject Key Identifier:
                   87:76:25:68:CF:BB:0C:A5:89:1D:16:C4:16:60:7A:0C:70:96:54:23
               X509v3 Key Usage: critical
                   Digital Signature, Key Encipherment
               X509v3 Basic Constraints: critical
                   CA:FALSE
               X509v3 Extended Key Usage:
                   TLS Web Server Authentication, TLS Web Client Authentication
               X509v3 Certificate Policies:
                   Policy: 1.3.6.1.4.1.6449.1.2.2.7
                     CPS: https://sectigo.com/CPS
                   Policy: 2.23.140.1.2.1
   
               Authority Information Access:
                   CA Issuers - URI:http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt
                   OCSP - URI:http://ocsp.sectigo.com
   
               X509v3 Subject Alternative Name:
                   DNS:web-security.cz, DNS:www.web-security.cz
               CT Precertificate SCTs:
                   Signed Certificate Timestamp:
                       Version   : v1 (0x0)
                       Log ID    : BB:D9:DF:BC:1F:8A:71:B5:93:94:23:97:AA:92:7B:47:
                                   38:57:95:0A:AB:52:E8:1A:90:96:64:36:8E:1E:D1:85
                       Timestamp : Jan 17 09:06:16.765 2019 GMT
                       Extensions: none
                       Signature : ecdsa-with-SHA256
                                   30:45:02:21:00:B5:9A:14:2E:09:83:C8:4A:69:60:AF:
                                   67:98:35:8D:46:34:46:70:4F:81:06:8F:C3:2D:A6:A8:
                                   69:85:A0:EC:2F:02:20:7F:B4:50:27:5A:E9:3C:5C:97:
                                   4E:62:9C:0B:0C:A7:39:5E:3C:42:F2:67:78:5A:C2:01:
                                   1D:98:CB:A0:2B:76:D7
                   Signed Certificate Timestamp:
                       Version   : v1 (0x0)
                       Log ID    : 74:7E:DA:83:31:AD:33:10:91:21:9C:CE:25:4F:42:70:
                                   C2:BF:FD:5E:42:20:08:C6:37:35:79:E6:10:7B:CC:56
                       Timestamp : Jan 17 09:06:16.843 2019 GMT
                       Extensions: none
                       Signature : ecdsa-with-SHA256
                                   30:45:02:21:00:99:D1:1B:AA:5F:B5:A5:65:9F:1E:6A:
                                   64:63:7E:09:CE:20:8E:43:36:83:94:55:6D:50:57:A7:
                                   F9:B9:60:21:6C:02:20:15:67:C0:30:F7:BE:7C:12:B2:
                                   B3:B6:4F:90:A5:A3:93:E3:A9:AF:B1:C5:4E:CE:B6:B2:
                                   E8:FD:94:46:90:80:81
       Signature Algorithm: sha256WithRSAEncryption
            33:38:cf:65:4b:74:52:53:ba:cb:cb:c4:f7:05:f8:b1:1e:fb:
            9a:12:b6:7e:60:e1:c2:1e:96:21:94:27:92:b8:56:7a:ea:35:
            47:b9:e6:16:be:07:c5:f0:0f:9e:9d:17:4c:33:49:34:cf:43:
            c2:f5:e9:d1:12:7b:a6:34:3a:b7:9a:c0:9f:59:88:52:2d:de:
            65:0d:78:84:75:d8:36:18:2a:d7:93:08:4e:15:f3:a2:1b:4b:
            72:c1:2e:42:0f:e8:4b:b1:3a:b5:2d:09:16:0d:08:3b:10:a9:
            48:6f:a7:5d:85:a6:4e:21:81:10:f7:1c:04:ed:a7:a1:ca:74:
            04:bc:08:ef:dd:4c:9e:bc:c6:1f:bf:0e:e0:95:8f:8c:5b:96:
            e4:31:fb:31:3e:77:43:0f:58:03:6e:76:2d:f2:4c:9e:9e:37:
            2f:a1:d8:e7:92:f4:f0:e2:78:27:0b:2d:60:17:d9:95:5a:48:
            10:b0:4d:63:df:81:44:47:56:d5:b5:1f:c5:96:ca:48:d0:50:
            7e:a2:05:78:42:1b:28:d4:dd:b7:0f:0b:45:54:32:b1:1f:ca:
            7e:75:d6:21:d4:b5:f8:6f:a3:b2:dd:d6:6a:ce:de:07:39:cb:
            a7:3c:ab:05:bf:7e:80:06:97:93:b3:c1:4f:3a:38:10:b9:e4:
            d6:7c:74:38
   ​

6. Notable fields include,
   1. Issuer: CN = : This is the issuer's common name (CN), Sectigo RSA Domain Validation Secure Server CA, which is the name on the certificate that signed it. If it is the same as a Subject: CN =, then it is, in most cases, Self-Signed. CA Certificates are self-signed and added to a client system in a trust store to be trusted.
   2. Validity: Not After: This is the expiration date
   3. Subject: CN = : This is the server on which it should be installed common name (CN), in this case, web-security.cz
   4. Subject Alternative Name: This Subject Alternative Name (SAN) field can specify alternate server names, like local DNS or IP address. If this server is being used to server content from multiple domains and/or subdomains, all will be listed here. In this sample, two DNS names are listed: web-security-cz and www.web-security.cz.
7. Compare the Common Name (CN) or Subject Alternative Name (SAN) to the address or IP address used to access the server; if it is not one of the included names, then certificate validation will fail. Reference this article to check validity: Verify certificates with OpenSSL