About digital certificates (reproduced)

Source: Internet
Author: User
Tags openssl x509 pkcs12

Formats and differences of digital certificates

Certificates that exist as files are generally in the following formats:

  1.Certificate with Private Key

It is defined by the public key cryptography standards #12 and PKCS #12 standards. It contains the certificate format in binary format of the public key and private key, and uses pfx as the suffix of the Certificate file.

  2.Binary Certificate

The certificate does not contain a private key. The certificate file in der-encoded binary format is suffixed with cer.

  3. base64Encoded Certificate

There is no private key in the certificate. The certificate file in base64 encoding format is also suffixed with cer.

 

From the definition, we can see that only pfxA digital certificate contains a private key, CEROnly the public key and no private key are in the digital certificate.

 

One of the items in the pfx certificate import process is "indicates that this key can be exported. This backs up or transfers keys later ". Generally, this option is not selected. If this option is selected, someone else will have the opportunity to back up your key. If it is not selected, the key is imported, but cannot be exported again. This ensures the security of the key.

If this item is not selected during the import process, the "export private key" item during certificate backup is gray and cannot be selected. Only public keys in cer format can be exported. If this item is selected during import, "export private key" is optional during export.

If you want to export a private key (pfx), you need to enter a password. This password is used to re-encrypt the private key, which ensures the security of the private key, even if someone else obtains your certificate backup (pfx) and does not know the password to encrypt the private key, they cannot import the certificate. On the contrary, if you only import and export certificates in the CER format, you will not be prompted to enter the password. Because the public key is generally made public and does not need to be encrypted.

 

Common Format Conversion PKCS is public-key cryptography standards. It is a series of criteria developed by the RSA lab and other security system developers to Promote the Development of public key cryptography, PKCS has published 15 standards. Common certificate formats include PKCS #7 cryptographic message syntax standardpkcs #10 certification request standardpkcs #12 Personal Information Exchange syntax standard X.509. All certificates comply with ITU-T X509 International Standards for Public Key Infrastructure (PKI. PKCS #7 common suffixes are :. p7b. p7c. spcpkcs #12 common suffixes include :. p12. the suffix of pfxx.509 DER encoding (ASCII) is :. der. cer. the suffix of crtx.509 Pam encoding (base64) is :. PEM. cer. CRT. CER /. CRT is used to store certificates. It is in binary format and does not contain private keys .. The difference between PEM and CRT/CER is that it is represented in ASCII. Pfx/P12 is used to store the Personal Certificate/private key. It usually includes a password. In the binary mode, P10 is the certificate request. p7r is the CA's reply to the certificate request, it is only used to import p7b to display the certificate chain in a tree. It also supports a single certificate, excluding the private key. Use OpenSSL to create the RSA key for the CA certificate (in PEM format): OpenSSL genrsa-des3-out ca. key 1024 uses OpenSSL to create a CA certificate (in PEM format, if the validity period is one year): OpenSSL req-New-X509-days 365-key ca. key-out ca. CRT-config OpenSSL. cnfopenssl can generate CA certificates in der format. It is best to use IE to convert the CA certificates in PEM format to CA certificates in der format. Convert ca. Key from X509 to pfxpkcs12-export-in keys/client1.crt-inkey keys/client1.key-out keys/client1.pfx to PVK that Microsoft can recognize. PVK-in CA. key-out ca. PVK-nocrypt-topvk five PKCS #12 to PEM conversion OpenSSL PKCS12-nocerts-nodes-In cert. p12-out private. PEM verification OpenSSL PKCS12-clcerts-nokeys-In cert. p12-out cert. PEM 6 extracts Private Key format files from pfx format files (. key) OpenSSL PKCS12-In mycert. pfx-nocerts-nodes-out mycert. key 7: Convert PEM to spcopenssl crl2pkcs7-nocrl-certfile Venus. PEM-outform der-Out Venus. SPC uses-outform-inform to specify der or Pam format. For example, convert OpenSSL X509-in CERT. pem-inform PEM-out cert. Der-outform der eight PEM to PKCS #12,

OpenSSL PKCS12-export-in CERT. pem-out cert. p12-inkey key. pem

 

Others:

PKCS stands for public-key cryptography standards. It is a series of standards developed by the RSA lab and other security system developers to Promote the Development of public key cryptography. PKCS has published 15 standards. Commonly used:
PKCS #7 cryptographic message syntax Standard
PKCS #10 certification request Standard
PKCS #12 Personal Information Exchange syntax Standard
 
X.509 is a common certificate format. All certificates comply with ITU-T X509 International Standards for Public Key Infrastructure (PKI.
 
PKCS #7 common suffixes:. p7b. p7c. SPC
PKCS #12 common suffixes include. p12. pfx
The suffix of X.509 DER encoding (ASCII) is. Der. Cer. CRT.
The suffix of X.509 PEM encoding (base64) is. pem. Cer. CRT.

In OpenSSL toolset, you can use-outform-inform to specify der or PEM format. For example:
OpenSSL X509-in CERT. pem-inform PEM-out cert. Der-outform der
 
To convert PEM to PKCS #12 in OpenSSL, refer to the command:
OpenSSL PKCS12-export-in CERT. pem-out cert. p12-inkey key. pem
 
For the conversion from PKCS #12 to PEM in OpenSSL, refer:
OpenSSL PKCS12-in CERT. p12-out key. pem
OpenSSL X509-in key. pem-text-out cert. pem

 


Http://blog.csdn.net/tsimgsong/archive/2007/12/19/1954404.aspx
Http://zxjgoodboy.blog.sohu.com/71003540.html
The certificate file with the CER suffix has two types of encoding: Der binary encoding or base64 encoding (that is,. pem)

P7b is generally a certificate chain, which includes one or more certificates.
Pfx refers to the certificates and corresponding private keys stored in PKCS #12 format.

In security programming, there are several typical password exchange information file formats:
Der-encoded certificate:. CER,. CRT
PEM-encoded message:. pem
PKCS #12 Personal Information Exchange:. pfx,. p12
PKCS #10 certification request:. p10
PKCS #7 Cert Request Response:. p7r
PKCS #7 binary message:. p7b

. Cer/. CRT is used to store certificates. It is in binary format and does not contain private keys.
The difference between. PEM and CRT/CER is that it is represented in ASCII.
Pfx/P12 is used to store the Personal Certificate/private key. It usually includes a password, which is in the binary mode.
P10 is a certificate request
P7r is the CA's reply to the certificate request and is only used for Import
P7b displays the certificate chain in a tree. It also supports a single certificate without the private key.

Http://5233studio.bokee.com/3264715.html
OpenSSL: pkcs7 3 signed-data content encoding and decoding --
The signed content type consists of any type of content and digital signature. Any type of content can be signed by any number of signers at the same time.

The process of generating signature data is as follows:

1. For each Signatory, he uses the message digest algorithm to calculate the digest value.

2. For each signatory, the message digest and related information are encrypted with their own private key.

3. For each signer, add the encrypted message digest and other specific information of the signer to the signer_info value. The certificate and CRL of each signatory are also collected in this step.

4. Put the information digest algorithm of all signer_info values and content of all signers into the Sign value.

About digital certificates (reproduced)

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.