Generating an identity certificate chain in the PKCS12 format

Last Updated : Jun 10, 2026 |

About this task

If you want to use an identity certificate signed by a third-party certificate authority (CA), you must generate an identity certificate chain. An identity certificate chain must include the following certificates:

  1. The third-party CA-signed identity certificate.

  2. All intermediate CA certificates, if any.

  3. The root CA certificate.

Assign this certificate chain to a specific Avaya Aura® Web Gateway server interface.

Use this procedure to generate an identity certificate chain in the PKCS12 format. You must do this if the CA does not provide a PKCS12 certificate chain that includes all required certificates.

Tip:

The commands in this procedure must be entered as a single line even if they appear as multiple lines in the document.

Before you begin

  • Ensure that the OpenSSL library is installed on Avaya Aura® Web Gateway.

  • Ensure that you have the following certificate files:

    • The third-party CA-signed identity certificate in the PKCS12 format.

      Certificate files in the PKCS12 format usually have the .p12 extension.

    • A certificate chain in the PEM format that includes all intermediate and root CA certificates.

Procedure

  1. Log in to the Avaya Aura® Web Gateway using your SSH credentials.
  2. Navigate to the directory with the certificates.
  3. Run the following command to get a private key from the identity certificate file:

    openssl pkcs12 -in <certificate_file_name> -out <private_key_file> -nocerts

    In this command:

    • <certificate_file_name> is the file name of the identity certificate in the PKCS12 format.

    • <private_key_file> is a file name of the private key.

    For example: openssl pkcs12 -in certificate.p12 -out privateKey.key -nocerts

  4. Run the following command to get the identity certificate in the PEM format from the .p12 certificate file:

    openssl pkcs12 -in <certificate_file_name> -out <identity_certificate> -nokeys

    In this command:

    • <certificate_file_name> is the .p12 certificate file name.

    • <identity_certificate> is a file name of the identity certificate in the PEM format.

    For example: openssl pkcs12 -in certificate.p12 -out certificate.pem -nokeys

  5. Run the following command to create an identity certificate chain in the PKCS12 format:

    openssl pkcs12 -export -out <certificate_chain> -inkey <private_key_file> -in <identity_certficiate> -certfile <CA_certificate_chain>

    In this command:

    • <certificate_chain> is the file name of the resulting identity certificate chain in the PKCS12 format.

    • <private_key_file> is the file name of the private key.

    • <identity_certificate> is the file name of the identity certificate in the PEM format.

    • <CA_certificate_chain> is the file name of a certificate chain in the PEM format that includes all intermediate and root CA certificates.

    For example: openssl pkcs12 –export -out certificateChain.p12 -inkey privateKey.key -in certificate.pem -certfile CACert.pem

Related information
Managing server interface certificates