Certificate formats-X.509, der and PEM

Source: Internet
Author: User
Tags certificate fingerprint openssl x509

 

Certificate formats-X.509, der and PEM

Part: 1 2 3

Certificate standard and File encodings seem to be confusing. I wrote down some notes about:

  • What is X.509 certificate standard?
  • PEM (privacy enhanced mail) Encoding
  • Der (distinguished encoding rules) Encoding
  • "Keytool" exporting certificates in der and PEM
  • "OpenSSL" verifying "keytool" Certificates
  • "OpenSSL" generating certificates in der and PEM
  • "Keytool" Viewing "OpenSSL" Certificates
  • "Keytool" importing "OpenSSL" Certificates

X.509 certificate standard

X.509 is an international standard for what shocould be encoded in a digital certificate. Here is the definition from webpedia.com:

A widely used standard for defining digital certificates. x.509 (version 1) was first issued in 1988 as a part of the ITU X.500 Directory Services Standard. when X.509 was revised in 1993, two more fields were added resulting in the version 2 format. these two additional fields support directory access control. x.509 Version 3 defines the format for certificate extensions used to store additional information regarding the certificate holder and to define certificate usage. collectively, the term X.509 refers to the latest published version, unless the version number is stated.

X.509 is published as ITU Recommendation ITU-T X.509 (formerly CCITT X.509) and ISO/IEC/ITU 9594-8 which defines a standard certificate format for Public Key Certificates and certification validation. with minor differences in dates and titles, these publications provide identical text in the defining of public-key and attribute certificates.

My understanding of X.509 is that a certificate is required to have the following information:

  • Version-X.509 standard version number.
  • Serial number-a sequence number given to each certificate.
  • Signature Algorithm Identifier-name of the algorithm used to sign this certificate by the issuer
  • Issuer name-name of the issuer.
  • Validity Period-period during which this certificate is valid.
  • Subject name-name of the owner of the public key.
  • Subject public key information-the public key and its related information.

The content structure of a version 3 X.509 Certificate shoshould look like this:

Certificate:    Data:        Version: 3 (0x2)        Serial Number: 1185572113 (0x46aa6511)        Signature Algorithm: dsaWithSHA1        Issuer: C=CA, ST=Herong State, L=Herong City, ...         Validity            Not Before: Apr 1 21:35:13 2007 GMT            Not After : Jun 30 21:35:13 2007 GMT        Subject: C=CA, ST=Herong State, L=Herong City, ...         Subject Public Key Info:            Public Key Algorithm: dsaEncryption            DSA Public Key:                pub:                    00:b0:61:2b:c1:88:0e:19:66:58:37:b5:...                    ...                P:                    00:fd:7f:53:81:1d:75:12:29:52:df:4a:...                    ...                Q:                    00:97:60:50:8f:15:23:0b:cc:b2:92:b9:...                    ...                G:                    00:f7:e1:a0:85:d6:9b:3d:de:cb:bc:ab:...                    ...   Signature Algorithm: dsaWithSHA1       30:2c:02:14:6c:21:f3:43:b5:4f:d5:3d:2e:23:89:45:0...       ...

X.509 define how a certificate contents shocould be written. It does define how certificate contents shocould be encoded to store in files.

Two commonly used encoding schemas are used to store X.509 certificates in files, der and PEM, as described in next sections.

PEM (privacy enhanced mail) Encoding

The most commonly used encoding schema for X.509 certificate files is the PEM (privacy enhanced mail) encoding.

Here is the definition of PEM on wikipedia.com: "Privacy enhanced mail (PEM), is an early IETF proposal for securing email using public key cryptography. although PEM became an IETF proposed standard it was never widely deployed or used.

The full specification of PEM is in RFC 1421. But the idea of PEM encoding on X.509 certificates is very simple:

  • Encode the content with base64 encoding.
  • Enclose the base64 encoding output between two lines: "----- begin certificate -----" and "----- end certificate -----"

Here is a structural sample of a pem encoded X.509 Certificate:

-----BEGIN CERTIFICATE-----MIIDODCCAvagAwIBAgIERqplETALBgcqhkjOOAQDBQAwfzELMAkGA1UE......Cgfs2kXj/IQCFDC5GT5IrLTIFxAyPUo1tJo2DPkK-----END CERTIFICATE-----

PEM encoded certificate files are supported by almost all applications. "OpenSSL" and "keytool" support PEM encoded certificate files with no problem. See other sections below for test notes.

(Continued on next part ...)

 

 

Certificate formats-X.509, der and PEM

Part: 1 2 3

(Continued from previous part ...)

Der (distinguished encoding rules) Encoding

Der (distinguished encoding rules) is another popular encoding used to store X.509 certificate files. Here is how wikipedia.com describes PEM:

Der or distinguished encoding rules is a method for encoding a data object, such as an X.509 Certificate, to be digitally signed or to have its signature verified.

The distinguished encoding rules of ASN.1 is an international standard drawn from the constraints placed on BER encodings by x.509. der encodings are valid BER encodings. der is the same thing as BER with all but one sender's options removed. for example, in Ber a Boolean value of true can be encoded in 255 ways, while in der there is only one way to encode a Boolean value of true.

The full specification of der is in RFC 1421.

X.509 certificate files encode in der are binary files, which can not be view with text editors.

DER encoded certificate files are supported by almost all applications. "OpenSSL" and "keytool" support DER encoded certificate files with no problem. See other sections below for test notes.

"Keytool" exporting certificates in der and PEM

My first test was about "keytool" exporting certificates in der and PEM encodings. This was done:

  • Using "keytool-genkeypair" to generated a key pair and a self-sign certificate in a keystore file.
  • Using "keytool-exportcert" to export the Certificate in DER encoding.
  • Using "keytool-exportcert-RFC" to export the Certificate in PEM encoding.

The test session was recorded below:

>keytool -genkeypair -keysize 1024 -alias herong_key -keypass keypass -keystore herong.jks -storepass jkspassWhat is your first and last name?  [Unknown]:  Herong YangWhat is the name of your organizational unit?  [Unknown]:  Herong UnitWhat is the name of your organization?  [Unknown]:  Herong CompanyWhat is the name of your City or Locality?  [Unknown]:  Herong CityWhat is the name of your State or Province?  [Unknown]:  Herong StateWhat is the two-letter country code for this unit?  [Unknown]:  CAIs CN=Herong Yang, OU=Herong Unit, O=Herong Company, L=Herong City,ST=Herong State, C=CA correct?  [no]:  yes>keytool -exportcert -alias herong_key -keypass keypass -keystore herong.jks -storepass jkspass -file keytool_crt.derCertificate stored in file <keytool_crt.der>>keytool -exportcert -alias herong_key -keypass keypass -keystore herong.jks -storepass jkspass -rfc -file keytool_crt.pemCertificate stored in file <keytool_crt.pem>

Not that "keytool-exportcert" command applies DER encoding by default. The "-RFC" option is to change it to PEM (RFC 1421) encoding.

Now I got one certificate generated by "keytool" and stored in two encoding files: keytool_crt.der and keytool_crt.pem. How can I verify that they are really using the correct encoding schemas? I used "OpenSSL" to try to view them as described in the next section.

"OpenSSL" verifying "keytool" Certificates

One way to verify if "keytool" Did export my certificate using DER and PEM encoding correctly is to use "OpenSSL" view the encoded certificate files. to do this, I used the "OpenSSL X509" command to view keytool_crt.der and keytool_crt.pem:

>openssl x509 -in keytool_crt.pem -inform pem -noout -textCertificate:    Data:        Version: 3 (0x2)        Serial Number: 1185636568 (0x46ab60d8)        Signature Algorithm: dsaWithSHA1        Issuer: C=CA, ST=Herong State, L=Herong City, ...        ...>openssl x509 -in keytool_crt.der -inform der -noout -textCertificate:    Data:        Version: 3 (0x2)        Serial Number: 1185636568 (0x46ab60d8)        Signature Algorithm: dsaWithSHA1        Issuer: C=CA, ST=Herong State, L=Herong City, ...        O=Herong Company, OU=Heron        ...

What I learned so far:

  • "Keytool" can generate self-Signed x5.09 Version 3 certificates.
  • "Keytool" can export certificates with der and PEM encodings.
  • "OpenSSL" can read certificates generated by "keytool" in both der and PEM encodings.

 

"OpenSSL" generating certificates in der and PEM

After tested how "keytool" can be used to export certificates in der and PEM encodings, I decided to try with "OpenSSL" to see if it can generate certificates in the same encodings or not. what I did was:

  • Run "OpenSSL genrsa" to generate a RSA key pair.
  • Run "OpenSSL req-New-X509" to generate a self-signed certificate and stored it in PEM encoding.
  • Run "OpenSSL X509" to convert the certificate from PEM encoding to DER encoding.

The test session was recorded below:

>openssl genrsa -out herong.key -des 1024Loading 'screen' into random state - doneGenerating RSA private key, 1024 bit long modulus.........................++++++...................++++++e is 65537 (0x10001)Enter pass phrase for herong.key: keypassVerifying - Enter pass phrase for herong.key: keypass>openssl req -new -x509 -key herong.key -out openssl_crt.pem-outform pem -config openssl.cnfEnter pass phrase for herong.key: keypassYou are about to be asked to enter information that will be incorporated into your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [CA]:State or Province Name (full name) [HY State]:Locality Name (eg, city) [HY City]:Organization Name (eg, company) [HY Company]:Organizational Unit Name (eg, section) [HY Unit]:Common Name (eg, YOUR name) [Herong Yang]:Email Address [herongyang.com]:>openssl x509 -in openssl_crt.pem -inform pem -out openssl_crt.der -outform der

Now I got one certificate generated by "OpenSSL" and stored in two encoding files: openssl_crt.der and openssl_crt.pem. How can I verify that they are really using the correct encoding schemas? I used "keytool" to try to import them as described in the next section.

"Keytool" Viewing "OpenSSL" Certificates

One way to verify the certificate generated by "OpenSSL" and stored in PEM and der encodings is to view it with the "keytool-printcert" command:

>keytool -printcert -file openssl_crt.pemOwner: EMAILADDRESS=herongyang.com, CN=Herong Yang, OU=HY Unit, ...Issuer: EMAILADDRESS=herongyang.com, CN=Herong Yang, OU=HY Unit, ...Serial number: 0Valid from: Sun Apr 1 13:02:22 EDT 2007 until: ...Certificate fingerprints:         MD5:  BF:B8:3A:19:E5:05:CE:CA:8C:F7:05:FA:FE:51:A6:EC         SHA1: F7:C7:2A:57:73:5E:CE:E5:73:09:13:35:FB:91:CF:27:...         Signature algorithm name: MD5withRSA         Version: 3Extensions:...>keytool -printcert -file openssl_crt.derOwner: EMAILADDRESS=herongyang.com, CN=Herong Yang, OU=HY Unit, ...Issuer: EMAILADDRESS=herongyang.com, CN=Herong Yang, OU=HY Unit, ...Serial number: 0Valid from: Sun Apr 1 13:02:22 EDT 2007 until: ...Certificate fingerprints:         MD5:  BF:B8:3A:19:E5:05:CE:CA:8C:F7:05:FA:FE:51:A6:EC         SHA1: F7:C7:2A:57:73:5E:CE:E5:73:09:13:35:FB:91:CF:27:...         Signature algorithm name: MD5withRSA         Version: 3Extensions:...

What I learned so far:

  • "OpenSSL" can generate self-Signed x5.09 Version 3 certificates.
  • "OpenSSL" can write certificates with der and PEM encodings.
  • "Keytool" can read certificates generated by "OpenSSL" in both der and PEM encodings.

"Keytool" importing "OpenSSL" Certificates

I also tried to import the certificate generated by "OpenSSL" into "keytoo" keystore files. the "keytool-importcert" command had no trouble reading the Certificate in both PEM and der encodings. my command session is recorded here:

>keytool -importcert -file openssl_crt.pem-keystore herong.jks -storepass jkspass -alias openssl_crt_pem -keypass keypassOwner: EMAILADDRESS=herongyang.com, CN=Herong Yang, OU=HY Unit, ...Issuer: EMAILADDRESS=herongyang.com, CN=Herong Yang, OU=HY Unit, ...Serial number: 0Valid from: Sun Apr 1 13:02:22 EDT 2007 until: ...Certificate fingerprints:         MD5:  BF:B8:3A:19:E5:05:CE:CA:8C:F7:05:FA:FE:51:A6:EC         SHA1: F7:C7:2A:57:73:5E:CE:E5:73:09:13:35:FB:91:CF:27:...         Signature algorithm name: MD5withRSA         Version: 3Extensions:...Trust this certificate? [no]:  yesCertificate was added to keystore>keytool -importcert -file openssl_crt.der-keystore herong.jks -storepass jkspass -alias openssl_crt_der -keypass keypassCertificate already exists in keystore under alias <openssl_crt_pem>Do you still want to add it? [no]:  yesCertificate was added to keystore>keytool -list -keystore herong.jks -storepass jkspassKeystore type: JKSKeystore provider: SUNYour keystore contains 3 entriesopenssl_crt_der, Apr 1, 2007, trustedCertEntry,Certificate fingerprint (MD5): BF:B8:3A:19:E5:05:CE:CA:8C:F7:05:...openssl_crt_pem, Apr 1, 2007, trustedCertEntry,Certificate fingerprint (MD5): BF:B8:3A:19:E5:05:CE:CA:8C:F7:05:...herong_key, Apr 1, 2007, PrivateKeyEntry,Certificate fingerprint (MD5): 5B:44:F1:D7:3D:9F:9E:15:5B:D1:25:...

Wonderful! There was no trouble at for "keytool" to import my self-signed certificate generated by "OpenSSL" into the keystore file.

Conclusion

  • X.509 defines a digital certificate standard.
  • PEM (privacy enhanced mail) is a certificate encoding schema.
  • Der (distinguished encoding rules) is another certificate encoding schema.
  • "Keytool" supports both PEM and der certificate encodings.
  • "OpenSSL" supports both PEM and der certificate encodings.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.