Where to get the certificate and certificate chain?
When you request an SSL certificate from your IT department they will send you either:
- A single encrypted file (.pfx) which contains a private key, a certificate and optionally a certificate chain. - In case you received a single .pfx file the following command can be used to extract the certificates: - openssl pkcs12 -in [yourfilename.pfx] -nokeys -out [certificates.crt]- This output .crt file will contain both the client certificate and the certificate chain and can be used to upload in ConfigHub under 'Certificate' and 'Certificate Chain' (upload the same file twice). - Alternatively the following commands can be used to extract only the client certificate from the .pfx file (to upload under 'Certificate' in ConfigHub): - openssl pkcs12 -in [yourfilename.pfx] -clcerts -out [certificate.crt]- and to extract only the certificate chain from the .pfx file (to upload under 'Certificate chain' in ConfigHub): - openssl pkcs12 -in [yourfilename.pfx] -cacerts -out [cachain.crt]- Note- Since the pfx file contains the private key it is passphrase protected and you will be prompted to enter the passphrase when executing the command. You should have received the passphrase from your IT department or CA. 
- A single .pem file which contains a private key, a certificate and optionally a certificate chain - In case you received a single .pem file the following command can be used to extract the certificates: - openssl x509 -in [yourfilename.pem] -nokeys -out [certificates.crt]- This output .crt file will contain both the client certificate and the certificate chain and can be used to upload in ConfigHub under 'Certificate' and 'Certificate Chain' (upload the same file twice). - Alternatively the following command can be used to extract only the client certificate from the .pem file (to upload under 'Certificate' in ConfigHub): - openssl x509 -in [yourfilename.pem] -clcerts -out [certificate.crt]- and to extract only the certificate chain from the .pfx file (to upload under 'Certificate chain' in ConfigHub): - openssl x509 -in [yourfilename.pem] -cacerts -out [cachain.crt]
- In case you received separate files you can simply upload these in ConfigHub.