I have a problem to create certificate for a site.
When I specify in Chrome IP:8080 I am redirected to IP:8443 with error message:

"The site's security certificate is not trusted!"

Instructions are that I have to run following java command ...

sudo java -jar lib/ace.jar new_cert <hostname> <company> <city> <state> <country>

When it is done I get 2 files

xxx_certificate.csr.der
xxx_certificate.csr.pem

that I am supposed to ...

# have this CSR signed by a CA, you'll get a few certificates back...
# import the signed certificate and other intermediate certificates

and then run java command "java -jar lib/ace.jar import_cert"

Don't understand "have this CSR signed by a CA, you'll get a few certificates back..."
I just want to add this certificate to Chrome but that has to be in PKCS #12 format.
How do I get this done.

Certificate handling is not my strongest side.
Running Debian stable.

Appreciate all help I can get.

A certificate has two functions:

1. It's a way of handing out public cryptographic keys
2. The recipient of a certificate can confirm the identity (subject) in the certificate by checking the signature using the issuer's public key

Chrome is complaining about not trusting the issuer while trying to validate the certificate (item [2]), since it doesn't actually have the public key of the issuer in its database of trusted Certificate Authorities. The reason is most likely that the certificate is self-signed.

The java command you ran has generated a Certificate Signing Request (CSR) containing a public key (and hopefully stored the corresponding private key in a separate file). This is useful if the certificate is related to an identity (e-mail address) or Internet domain which you actually own and control, and you want a third party to sign your key and create a signed certificate which can then be validated by others trusting that same third party.

If this is the route you want to take, you'll need to contact one of the many CAs participating in the Internet Public Key Infrastructure (PKI), like Verisign (Symantec), GoDaddy, RapidSSL, Thawte, Equifax etc. For a fee, the CA will validate your identity and issue a signed certificate based on either the .pem or .der file (it's just two files containing the same CSR in different formats).

However, if you just want one particular instance of Chrome to accept the self-signed certificate you already have, you can just manually import the certificate into the "Trusted Root CAs" certificate store on the client.

Thank you for clarification.
To contact Verisign (Symantec), GoDaddy, RapidSSL is not the way to go for me.
You mentioned that I can make Chrome to accept the self-signed certificate by importing.
Doing so I receive following error:

Certification Authority Import Error.
Unable to parse file

How are you importing the certificate?

Chrome -> Settings -> Show Advanced Setttings -> HTTPS/SSL -> Manage certificates -> Authorities -> Import -> xxx_certificate.csr.pem

I also tried:

Chrome -> Settings -> Show Advanced Setttings -> HTTPS/SSL -> Manage certificates -> Your Certificate -> Import -> xxx_certificate.csr.pem
but then I was asked for a password. I did not give a password when creating *.pem *.der files. So how can I give a password ?

You can't import the .csr.pem file, because that file does not contain the certificate, just a Certificate Signing Request.

It should be possible to save the cartificate to a file by simply visiting the site. Even if you get an error message, it may be possible to click the SSL icon next to the URL in the address bar and export the certificate to a .csr file from there (I don't really know Chrome, but that's how it's done in Firefox).

I did export the certificate to a file from Firefox but when I tried to import it to Firefox it still keeps asking me of password ... which I don't know since I was not able to give it when creating it ... seems that I am totally lost.

You should not use the ".csr" file extension, as Firefox (or any other program) will interpret that as a Certificate Signing Request, and those are usually encrypted and require a password.

Try again, but this time use the ".crt" extension.

I did not have ".csr" file extension but still Chrome gives the same error 'The site's security certificate is not trusted!'
I managed though to import it (via tab Servers) - it is under the tab 'Others' now.

Firefox has the exception option - that work so I don't get the error ... but unfortunatly Chrome doesn't seem to have this exception option for certificates.

I also checked http://code.google.com/p/chromium/wi...CertManagement
and tried to add a certificate (the one I exported from Firefox) but to no avail ...