Common SSL digital certificate formats

PKCS stands for public-key cryptography standards. It is a series of standards developed by the RSA lab and other security system developers to Promote the Development of public key cryptography. PKCS has published 15 standards. Commonly used:

 

PKCS #12 Personal Information Exchange:. pfx,. p12
PKCS #10 certification request:. p10
PKCS #7 Cert Request Response:. p7r
PKCS #7 binary message:. p7b

 

 

PKCS #7 common suffixes:. p7b. p7c. SPC

PKCS #12 common suffixes include. p12. pfx

 

 

 

X.509 is a common certificate format. All certificates comply with ITU-T X509 International Standards for Public Key Infrastructure (PKI.

 

The suffix of X.509 DER encoding (ASCII) is. Der. Cer. CRT.
The suffix of X.509 Pam encoding (base64) is. pem.

 

 

CER/. CRT is used to store certificates. It is in binary format and does not contain private keys.
The difference between. PEM and CRT/CER is that it is represented in ASCII.
Pfx/P12 is used to store the Personal Certificate/private key. It usually includes a password, which is in the binary mode.
P10 is a certificate request
P7r is the CA's reply to the certificate request and is only used for Import
P7b displays the certificate chain in a tree. It also supports a single certificate without the private key.

 

 

Note: To use a browser for two-way authentication, you must install the p12 certificate in the browser, because the digital certificate in p12 format contains the private key, only the private key can be included in the encrypted communication between the two parties.

 

Certificate Import
Der/CER certificate import:

To import a certificate from a file, use the-import command of the keytool:

Keytool-import-file mycert. Der-keystore mykeystore. jks

If a key warehouse that does not exist is specified in the-keystore option, the key warehouse will be created.

If the-keystore option is not specified, the default keystore is a file named. keystore in the home directory. If the file does not exist, it will be created.

When creating a key warehouse, you must enter an access password. You can use the-LIST command to view the content in the key Repository:

Keytool-list-RFC-keystore mykeystore. jks

P12 format certificate import:

Keytool cannot directly import the PKCS12 file.

The first method is to use IE to import the pfx certificate and then export it as a cert file. Use the method described above to import it to the key warehouse. In this case, the repository contains only the certificate information and no private key content.

The second method is to import the pfx file to the IE browser and then export it as a pfx file.
The newly generated pfx cannot be imported into the keystore. the following error occurs: keytool error: Java. Lang. exception: the input is not an X.509 authentication. The newly generated pfx file can be used as a keystore. However, an error as unknown attr1.3.6.1.4.1.311.17.1 will be reported. After checking the information, the IE export will be like this and Netscape will not cause this error.

The third method is to use the pfx file as a keystore. However, the pfx file generated on the Certificate Management Console of Microsoft cannot be used directly. Keytool does not recognize this format and reports the keytool error: Java. Io. ioexception: failed to decrypt safe contents entry. You need to use OpenSSL to convert:

1) OpenSSL PKCS12-In mycerts. pfx-out mycerts. pem

2) OpenSSL PKCS12-export-In mycerts. pem-out mykeystore. p12

You can use the-LIST command of keytool to check the content in the key warehouse:

Keytool-RFC-list-keystore mykeystore. p12-storetype PKCS12

The repository type is PKCS12, because the default type is jks. In this way, the key warehouse contains Certificate Information and private key information.

P7b certificate import:

Keytool cannot directly import the p7b file.

You need to export the certificate chain rootserver. p7b (including the root certificate) as the root rootca. CER and sub-rootcaserver. Cer.

Import these two certificates to a trusted key repository.

Keytool-import-alias rootca-trustcacerts-file rootca. cer-keystore testkeytrust. jks

Enter y

Keytool-import-alias rootcaserver-trustcacerts-file rootcaserver. cer-keystore testkeytrust. jks

Summary:

1) certificates in p12 format cannot be imported to keystore using keytool.

2) the sun's PKCS12 keystore does not support pfx certificates generated from IE and other Windows programs.

3) The p7b certificate chain cannot be directly imported to the keystore. You need to export the certificate to the CER format and then import it to the keystore.