PEM format requirements for certificates and domain keys
When you add a certificate, whether self-generated or Certificate Authority-signed, and when you import a domain key, ensure that the certificate or domain key meets the following requirements:
- The certificate or domain key must be stored in a file in PEM format with the certificate or domain key included as Base64-encoded text between the following markers:For a certificate,-----BEGIN CERTIFICATE-----and-----END CERTIFICATE-----.For a PKCS#8 domain key,-----BEGIN PUBLIC KEY-----and-----END PUBLIC KEY-----.For an OpenSSL domain key,-----BEGIN RSA PRIVATE KEY-----and-----END RSA PRIVATE KEY-----.Any text outside of the begin and end markers is ignored.The formats for certificates and domain keys are identical, except for the beginning and ending markers.Base64 text consists of only uppercase and lowercase Roman alphabet characters (A–Z, a–z), the numerals (0–9), and the "+" and "/" symbols.
- The file must be encoded as US-ASCII or UTF. The file cannot contain extended ASCII or non-ASCII characters.
- When you add or replace CA certificates (Update or Restore), a file can contain multiple certificates.
- The extension of the file that contains the certificate or domain key does not matter. The .txt or .crt extension are typically used for certificates, and the .key extension is typically used for domain keys.
- The file that contains the certificate or domain key must be accessible from the browser that you use to access the Control Center.
The following is a sample PEM format CA certificate:
Text before Begin Certificate is ignored. -----BEGIN CERTIFICATE----- MIICPTCCAaYCEQDNun9W8N/kvFT+IqyzcqpVMA0GCSqGSIb3DQEBAgUAMF8xCzAJ BgNVBAYTAlVTMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE3MDUGA1UECxMuQ2xh c3MgMSBQdWJsaWMgUHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw05 NjAxMjkwMDAwMDBaFw0yODA4MDEyMzU5NTlaMF8xCzAJBgNVBAYTAlVTMRcwFQYD VQQKEw5WZXJpU2lnbiwgSW5jLjE3MDUGA1UECxMuQ2xhc3MgMSBQdWJsaWMgUHJp bWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTCBnzANBgkqhkiG9w0BAQEFAAOB jQAwgYkCgYEA5Rm/baNWYS2ZSHH2Z965jeu3noaACpEO+jglr0aIguVzqKCbJF0N H8xlbgyw0FaEGIeaBpsQoXPftFg5a27B9hXVqKg/qhIGjTGsf7A01480Z4gJzRQR 4k5FVmkfeAKA2txHkSm7NsljXMXg1y2He6G3MrB7MLoqLzGq7qNn2tsCAwEAATAN BgkqhkiG9w0BAQIFAAOBgQBMP7iLxmjf7kMzDl3ppssHhE16M/+SG/Q2rdiVIjZo EWx8QszznC7EBz8UsA9P/5CSdvnivErpj82ggAr3xSnxgiJduLHdgSOjeyUVRjB5 FvjqBUuUfx3CHMjjt/QQQDwTw18fU+hI5Ia0e6E1sHslurjTjqs/OJ0ANACY89Fx lA== -----END CERTIFICATE----- Text after End Certificate is ignored.
When you add a domain key, Symantec Messaging Gateway generates the domain key in a way that meets PEM format requirements.