How to export SSL certificates from a LoadMaster Certificate Backup

To back up certificates and keys, follow the steps below in the LoadMaster Web User Interface (WUI):

  1. Go to Certificates > Backup/Restore Certs.
  2. In the Certificate Backup section, enter the desired Passphrase twice. This passphrase will be needed when restoring the backup.
  3. After the file is downloaded, rename it to certbackup.gz.
  4. Once you have the .gz file, you can either unzip it from the command line using gzip -d or using a tool such as 7zip.
  5. Rename the resulting file certbackup.aes.
  6. Download and install OpenSSL from the web.
  7. In OpenSSL, enter:
    openssl enc -in certbackup.aes -out certbackup.tar -d -aes256 -md md5 -k passphrase
    Where passphrase is the passphrase you entered when exporting the backup from the LoadMaster.
  8. Untar the resulting file (certbackup.tar).
    The resulting folder will contain your certificates.


Note: These files are in standard x.509 certificate format. You can use this certificate and key to import into IIS or any other web server which accepts standard x.509 certificates.

Was this article helpful?

2 out of 4 found this helpful




Openssl has changed the default message digest from MD5 (openssl-1.0) to SHA256 (openssl-1.1). As with KEMP 7.2.42 the digest is not yet adapted and you have to use following command in order to be able to decrypt the file:
openssl enc -in certbackup.aes -out certbackup.tar -d -aes256 -md md5 -k passphrase

Cloud Engineering

thank you @emak! Kemp needs to update this kb!


I can't get this to work on Ubuntu 20.04:
openssl enc -d -aes256 -md md5 -in CertBackup_2020_08_05.00.57 > cer.tar
enter aes-256-cbc decryption password:
bad magic number

Nick Smylie

Hi @jkuter

I tried both ways the original command...
openssl enc -in CertBackup.aes -out certbackup2.tar -d -aes256 -md md5 -k password

Also tried it with yours...
openssl enc -d -aes256 -md md5 -in CertBackup.aes > cer.tar

And both worked. I noticed though you did not rename your file and maybe also did not unzip it before trying the command, can you try that and then try again please?


I tried the documented way as well, same error no matter what passphrase I use. What version of Kemp and what OS are you using? I will try downloading it in windows and running it in WSL and see if it makes a difference.

Nick Smylie


The LM version is .48.1 and Ubuntu is 20.04.1 LTS. You did unzip before hand correct? Are you using any special characters in your passphrase?

jkuter No matter what I try even with password 123456 I get magic number error. Just received the same error in Windows WSL (Ubuntu). I will try another Kemp box and see if I can reproduce there. I am backing up from the cert backup and restore screen in the WUI.


jkuter@ah-jkuter2:/mnt/c/Users/jkuter/Downloads$ mv CertBackup_2020_08_05.15.57 certbackup.gz
jkuter@ah-jkuter2:/mnt/c/Users/jkuter/Downloads$ gzip -d certbackup.gz
jkuter@ah-jkuter2:/mnt/c/Users/jkuter/Downloads$ mv certbackup certbackup.gz
jkuter@ah-jkuter2:/mnt/c/Users/jkuter/Downloads$ mv certbackup.gz certbackup.aes
jkuter@ah-jkuter2:/mnt/c/Users/jkuter/Downloads$ openssl enc -in certbackup.aes -out certbackup.tar -d -aes256 -md md5 -k 123456
*** WARNING : deprecated key derivation used.
Using -iter or -pbkdf2 would be better.
jkuter@ah-jkuter2:/mnt/c/Users/jkuter/Downloads$ tar xfvz certbackup.tar
gzip: stdin: not in gzip format
tar: Child returned status 1
tar: Error is not recoverable: exiting now

Is it the Kemp version? Do I need to upgrade? Just tried on an Azure kemp and an onprem kemp and received the same error.