Heres a quick one… While bringing up a new Lync 2013 EE Pool the other day, I did the typical actions when generating the pool certificate: 1. Run through the “Request, Install or Assign Certificates” portion of the Lync 2013 – Deployment Wizard and generate the pool certificate. In this case the pool certificate was going out as a public cert, not internally issued (don’t ask). This means an offline CSR. 2. CSR was sent to those who control the money who then sent the CSR to the companies external certificate provider. In this case I actually don’t know who that is. 3. Certificate was returned from the issuing authority as an, oh you know where this is going as it’s in the title for pete’s sake, .PEM file!!! Curses! Crying! John pushes everything off of his desk! (not really). This was unexpected to be honest, as I don’t remember ever getting back a .PEM with regards to a Lync deployment unless it was from a load balancer, or a gateway. I have seen, however, that with larger deployments a company may have their own custom portal from the cert provider. This may mean you can’t select the “IIS7” or “Exchange 2010” option when applying the CSR like you can on Godaddy, etc so a receiving a P7B is not a guarantee. In the case or these type of portals you typically can’t send in s SAN cert as the provider won’t take it and you then need to add all the SAN names individually on the request form. I hate you for this by the way :). In these cases I use the lovely Digicert Certificate Utility for Windows to generate cert as it can just send a cert with the SAN not in the CSR. So what to do about this? The PEM thing, not the SAN thing. I tend to wander in case you haven’t noticed. Basically you have 2 options: 1. Use OpenSSL to convert the .PEM to your required format (.crt, pfx, etc). This is pretty straightforward and a really good post on doing this from Jonathan Manning can be found here. Convert From PEM (.crt file) to .pfx
openssl pkcs12 -export -out doman_com.pfx -inkey doman_com.key -in doman_com.crt -certfile doman_com.ca-bundle
2. Use one of the various web-based tools out there to do the conversion. I like this one from SSL Shopper. Additionally there are some other great web-based SSL utilities here, such as a CSR decoder, certificate checker and such. Again there are a bunch out there so whatever you prefer.
Hope this helps. Pleas submit other sites, tools, or better ways to handle these types of certificates.