SSL/TLS certificates traditionally use PEM format with base64-encoded data split into 64-character lines (often mistaken as 67 characters due to the inclusion of BEGIN/END markers). This formatting originates from RFC 7468 standards, designed for:
- Human readability in terminal environments
- Compatibility with legacy systems
- Easier manual inspection and editing
While line breaks aren't cryptographically significant, many implementations enforce the PEM format strictly. Apache's mod_ssl, for instance, performs format validation before processing. However, the certificate chain itself remains valid without breaks.
Key considerations:
# Working example (with line breaks) -----BEGIN CERTIFICATE----- MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw ... -----END CERTIFICATE----- # Problematic single-line version -----BEGIN CERTIFICATE-----MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw...-----END CERTIFICATE-----
For infrastructure automation, consider these approaches:
# Option 1: Use line breaks in template
file '/etc/ssl/certs/mycert.pem' do
content lazy {
<<~EOC
-----BEGIN CERTIFICATE-----
#{node['ssl']['certificate_data']}
-----END CERTIFICATE-----
EOC
}
end
# Option 2: Programmatic line insertion
file '/etc/ssl/certs/mycert.pem' do
content lazy {
cert = node['ssl']['certificate_data']
"-----BEGIN CERTIFICATE-----\n" +
cert.scan(/.{1,64}/).join("\n") +
"\n-----END CERTIFICATE-----\n"
}
end
When strict PEM validation causes issues:
- Convert to DER format (binary) using
openssl x509 -outform der - Use PKCS#12 containers for combined certs/keys
- Consider Nginx's more flexible parser if switching web servers is an option
For Apache-specific troubleshooting:
# Test config syntax apachectl configtest # Verify certificate separately openssl x509 -in /path/to/cert.pem -text -noout # Check error logs tail -f /var/log/apache2/error.log
SSL/TLS certificates traditionally use a 64-character line break convention (with 67 characters per line including the line ending). This formatting dates back to the PEM format specification (RFC 7468) which recommends this structure for better human readability and compatibility with older systems.
From a purely technical standpoint, SSL certificates can exist without line breaks. The cryptographic validation only cares about the actual certificate data, not the whitespace formatting. Here's what happens when you remove line breaks:
-----BEGIN CERTIFICATE-----
MIIF......QqF
-----END CERTIFICATE-----
While technically possible, many servers and tools expect the standard formatting:
- Apache httpd may fail to load the certificate
- OpenSSL commands might produce warnings
- Some security scanners flag non-standard formatting
For Chef users needing to generate certificates from variables, here's a proper implementation that maintains compatibility:
file '/etc/ssl/certs/mycert.pem' do
content <<~EOF
-----BEGIN CERTIFICATE-----
#{node['ssl_certificate'].gsub(/(.{64})/, "\\1\n")}
-----END CERTIFICATE-----
EOF
owner 'root'
group 'root'
mode '0644'
end
In these scenarios, single-line certificates could be acceptable:
- Embedded in JSON configurations
- When using certain API endpoints
- In memory-based certificate storage
For maximum compatibility across all systems, it's recommended to:
- Maintain standard 64-character line breaks
- Use proper BEGIN/END markers
- Include the trailing newline
For tools that absolutely require single-line format, consider implementing a transformation layer that converts between formats as needed.