Common formats for digital certificates and their mutual conversions

Source: Internet
Author: User


Common certificate formats and mutual conversionsThe PKCS full name is Public-key cryptography standards, a set of standards developed by RSA Labs and other security system developers to facilitate the development of public key cryptography, which currently has a total of 15 standards. Commonly used are:
Pkcs#7 Cryptographic Message Syntax Standard
PKCS#10 Certification Request Standard
pkcs#12 Personal Information Exchange Syntax Standard is a common common certificate format. All certificates conform to the ITU-T X509 International Standard established for public Key Infrastructure (PKI). Pkcs#7 commonly used suffixes are:. p7b. p7c. Spc
Pkcs#12 commonly used suffixes are:. P12. PFX
The suffix of the DER encoded (ASCII) is:. DER. Cer. Crt
The suffix of the Base64 is:. Pem. Cer. Crt
The. CER/.CRT is used for storing certificates, which are stored in 2 binary form and do not contain private keys.
The difference between a. Pem and a crt/cer is that it is expressed in ASCII.
PFX/P12 is used to store personal certificates/private keys, he usually contains protection password, 2 binary mode
P10 is a certificate request
P7R is the CA's response to a certificate request and is used only for import
P7B Displays the certificate chain (certificate chain) in a tree form, and also supports a single certificate, without a private key.
Amy Note:
Der,cer files are generally in binary format, with only certificates, without private keys
CRT files may be binary, or text format, should be the majority of text format, function with Der/cer
PEM files are generally text-formatted, can be placed in a certificate or private key, or both
PEM is typically used with a. key extension if it contains only the private key, and can be password protected
PFX,P12 files are in binary format, with private keys and certificates, usually with protected passwords
How to determine whether text is formatted or binary. Open with Notepad, if it is a numeric letter of the rule, such as
-–begin certificate-–
-–end certificate-–
is the text, above the begin CERTIFICATE, stating that this is a certificate
If it is-–begin RSA private key-–, it means that this is a private key
The private key in the text format may also be password protected
How the text format becomes binary. From the point of view of the program, remove the front and back-line, the rest of the return, with Base64 decoding, you get the binary
But it's usually done with command-line OpenSSL.
A RSA key (PEM format) for creating a CA certificate with OpenSSL:
OpenSSL genrsa-des3-out Ca.key 1024

Two use OpenSSL to create a CA certificate (PEM format, if valid for one year):
OpenSSL req-new-x509-days 365-key ca.key-out ca.crt-config openssl.cnf
OpenSSL is a CA certificate that can generate a der format, preferably using IE to convert the CA certificate in PEM format into a DER-formatted CA certificate.

Three X509 to PFX
Pkcs12-export–in Keys/client1.crt-inkey keys/client1.key-out keys/client1.pfx

The Ca.key in the four-PEM format is converted to the PVK format that Microsoft can recognize.
Pvk-in Ca.key-out ca.pvk-nocrypt-topvk

Conversion of five pkcs#12 to PEM
OpenSSL pkcs12-nocerts-nodes-in cert.p12-out Privatekey.pem
OpenSSL pkcs12-clcerts-nokeys-in cert.p12-out Cert.pem OpenSSL pkcs12-nodes-in./cert.p12-out./cert_key.pem

Six extract the private key format file (. key) from the PFX format file
OpenSSL pkcs12-in mycert.pfx-nocerts-nodes-out Mycert.key

Seven convert Pem to to SPC
OpenSSL crl2pkcs7-nocrl-certfile venus.pem-outform der-out venus.spc
Specifies the DER or PAM format with-outform-inform. For example:
OpenSSL x509-in cert.pem-inform pem-out Cert.der-outform der

Convert from eight PEM to Pkcs#12,
OpenSSL pkcs12-export-in cert.pem-out Cert.p12-inkey Key.pem

Nine CER to PEM

OpenSSL x509-in aps_developer.cer-inform der-out aps_developer.pem-outform Pem

10 der to Pem
DER and CER are the same if opens SL X509 cannot load the certificate, reported the following error:
Unable to load certificate is
not a certificate, try it with the following command, because Der may also be a CSR converted file:
OpenSSL Req-inform der-outform pem-in./customer.der-out./CUSTOMER.CSR
Xi. The key is removed from the encryption (so that time does not need to enter the password manually)
OpenSSL rsa-in customerprivatekey.pem-out./customerprivatekey_unenrypted.pem
12. Synthetic Certificate and key
Cat./customerprivatekey_unenrypted.pem./mdm_push_cert.pem > Merger2.pem

--------------------------------------------------------------------------------------------------------------- ----------------------------------------------------------------------------------------
Introduction to common digital certificates and protocols

The main file types and protocols for certificates are PEM, DER, PFX, JKS, KDB, CER, Key, CSR, CRT, CRL, OCSP, SCEP, and so on.

Pem–openssl uses the PEM (Privacy enhanced Mail) format to hold a variety of information, which is the default way to store information for OpenSSL. The PEM file in Openssl typically contains the following information: Content type: Indicates what information is stored in this file, in the form "——-BEGIN xxxx--", corresponding to "--end xxxx--" at the end. Header information: Indicates that data is stored after processing, the most used in OpenSSL is encrypted information, such as encryption algorithm and initialization Vector IV. Information body: Data encoded for BASE64. You can include all private keys (RSA and DSA), public key (RSA and DSA), and (X509) certificates. It stores the DER format data encoded in Base64, surrounded by an ASCII header, so it is suitable for text-mode transmission between systems.

Certificates stored in PEM format:

($ OpenSSL x509-in./cacert.pem-text)

-–begin certificate-–
-–end certificate-–
Private key stored in PEM format:
-–begin RSA PRIVATE key-–
-–end RSA PRIVATE key-–
Certificate request files stored in PEM format:
-–begin CERTIFICATE request-–
-–end CERTIFICATE request-–

The der– Discrimination Encoding rule (DER) can contain all private keys, public keys, and certificates. It is the default format for most browsers and is stored in ASN1 DER format. It is a no-header-PEM is a DER surrounded by a text header.
The PFX or p12– public key cryptography Standard #12 (PKCS#12) can contain all private keys, public keys, and certificates. It is stored in a binary format, also known as a PFX file. You can usually merge the "key file +crt file" format used by Apache/openssl into a standard PFX file, and you can import the PFX file format to Microsoft IIS 5/6, Microsoft ISA, Microsoft Exchange Server and other software. You need to enter an encrypted password for the PFX file when converting.
jks– can typically convert the "Key file +crt file" format used by APACHE/OPENSSL to the standard Java Key Store (JKS) file. The JKs file format is widely used in Java-based Web servers, application servers, and middleware. You can import JKS files into Tomcat, WEBLOGIC and other software.
kdb– can typically convert the "key file +crt file" format used by APACHE/OPENSSL to a standard IBM KDB file. The KDB file format is widely used in IBM Web servers, application servers, and middleware. You can import the KDB file into IBM HTTP Server, IBM Websphere, and other software.
CSR-Certificate Request file (Certificate Signing requests). Before generating a X509 digital certificate, the user submits the certificate request file before the certificate is issued by the CA. The approximate process is as follows (the format standard for X509 certificate requests is pkcs#10 and rfc2314): The user generates their own public private key pair; Construct your own certificate request file in accordance with the PKCS#10 standard. This file mainly includes the user information, the public key and some optional attribute information, and uses its own private key to sign the content; The user submits the certificate request file to the CA; The CA verifies the signature, extracts the user information, and adds other information (such as the issuer) to issue a digital certificate with the CA's private key; Description: A digital certificate, such as A/d, is a carrier of information that binds the identity of a user (or other entity) to the public key. A valid digital certificate must not only conform to the X509 format specification, but also have a CA signature. Users not only have their own digital certificates, they must also have a corresponding private key. X509v3 digital certificates mainly include: Certificate version, certificate serial number, Signature algorithm, issuer information, valid time, holder information, public key information, issuer ID, bearer ID, and extension.

The ocsp– Online Certificate Status protocol (Ocsp,online Certificate statusprotocol,rfc2560) is used to indicate the status of the certificate in real time. The OCSP client determines the status of a certificate by querying the OCSP service to provide the user with the validity of one or more digital certificates, and it establishes a mechanism for real-time response that allows users to verify the validity of each certificate in real time and resolve security issues raised by CRLs. OCSP can be implemented via the HTTP protocol. rfc2560 defines the message format for the OCSP client and server side.
CER-generally refers to a certificate that uses Der format. Der and CER are the same, both a certificate and a CER that is used on Windows.
CRT-Certificate file. can be in PEM format.
Key-generally refers to the private key file in PEM format.
The crl-certificate revocation list (Certification Revocation list) is a signature data structure that contains a list of revoked certificates. CRLs are published forms of certificate revocation status, and CRLs are like the blacklist of credit cards that are used to advertise certain digital certificates that are no longer valid. A CRL is an offline certificate status information. It is updated with a certain period of time. CRLs can be divided into full CRLs and delta CRLs. All revoked certificate information is included in the full CRL, and the delta CRL is represented by a series of CRLs to indicate the revoked certificate information, and each time it publishes the CRL is an incremental extension of the previously published CRL. Basic CRL information is: Revoked certificate serial number, revocation time, revocation reason, signer, and CRL signature information. CRL-based authentication is a kind of non-strict certificate authentication. The CRL can prove that the certificate revoked in the CRL is invalid. However, it cannot give the state of a certificate that is not in the CRL. If you perform a rigorous certification, you need to use an online approach to certification, which is OCSP authentication. Typically a set of electronic documents signed by a CA, including the unique identification of the revoked certificate (the certificate serial number), which is used to list the digital certificates that have expired or been revoked. It updates every once in a while, so you must periodically download the list to get the latest information.
SCEP-Simple Certificate Enrollment protocol. File-based certificate enrollment requires copying and pasting text files from your local computer to the Certificate Publishing center, and copying and pasting from the Certificate Publishing center to your local computer. SCEP can handle this process automatically, but CRLs still needs to be copied and pasted manually between the local computer and the CA Publishing Center.
The pkcs7– Cryptographic Message Syntax (PKCS7) is a format standard for various message stores. These messages include: data, signature data, digital envelopes, signed digital envelopes, digest data, and encrypted data.
PKCS12–PKCS12 (personal digital certificate standard) is used to hold user certificates, CRLs, user private keys, and certificate chains. The private key in the PKCS12 is stored encrypted.

--------------------------------------------------------------------------------------------------------------- ----------------------------------------------------------------------------------------

Digital Certificates The difference between CER and PFX

A certificate that exists as a file typically has these types of forms:

  1. Certificate with private key

Defined by the public key Cryptography Standards #12, the PKCS#12 standard, which contains the form of a certificate in the binary format of the private key and the secret key, with PFX as the certificate file suffix name.

  2. Binary-encoded certificate

There is no private key in the certificate, DER encodes the certificate file in binary format, and a CER is used as the certificate file suffix name.

  3.BASE64 Encoded Certificate

The certificate does not have a private key, a certificate file in the BASE64 encoded format, and a CER as the certificate file suffix name.

As can be seen from the definition, only a digital certificate in the PFX format is a digital certificate in CER format that contains a private key, only the public key has no private key.

If the client needs to use the private key when communicating with the Web site (the private key is used by all Web sites that require a digital certificate), the CER certificate is not able to access the site normally, and the Web site prompts "The page requires a client certificate".

Because the CER certificate contains only public key information, it is generally only used to decrypt data that is encrypted using (decrypting the private key corresponding to the public key).

One of the entries in the PFX certificate import process is "flag this key is exportable." This will take you back up or transfer the key later. " Usually unchecked, if selected, someone else will have the opportunity to back up your key. If unchecked, the key is also imported, but cannot be exported again. This guarantees the security of the key.

If this item is not selected during the import process, the "Export private key" item is grayed out and cannot be selected for a certificate backup. Only the public key in the CER format can be exported. If the item is selected on import, the "Export private key" item on export is optional.

If you want to export the private key (PFX), you need to enter a password, this password is to re-encrypt the private key, so that the security of the private key, even if you get a certificate backup (PFX), do not know the encryption of the private key password, but also cannot import the certificate. Conversely, if you just import a certificate that exports a CER format, you are not prompted to enter the password. Because the public key is generally public, it is not encrypted

--------------------------------------------------------------------------------------------------------------- ----------------------------------------------------------------------------------------

certificates and encodings


First, the certificate is a digital document that is encoded and/or issued according to RFC 5280来.

In fact, the "PKIX" certificate is often used to refer to the IETF (Public Key Infrastructure) certificate and the CRL in the V3 certificate standard (Certificate revocation list).

X509 File extension

First we need to understand what the file's extension stands for. DER, PEM, CRT, and CER extensions are often confusing. Many people mistakenly believe that these extensions can be substituted for each other. While it is true that some extensions are sometimes interchangeable, it is best to determine how the certificates are encoded and then identify them correctly. Correctly identifying certificates helps manage certificates.

encoding (also for extension) . Der = Extension der is used for binary DER-encoded certificates. These certificates can also be extended with a CER or CRT. The more appropriate term is "I have a DER-encoded certificate" instead of "I have a der Certificate". PEM = extension PEM for ASCII (BASE64) encoding of various V3 certificates. The file begins with a line of "-–begin ...".

the common extension name . CRT = Extension CRT is used for certificates. The certificate can be der or PEM encoded. The extension CER and CRT are almost synonymous. This situation is common in various unix/linux systems. CER = The Microsoft type of CRT certificate. You can use Microsoft tools to convert CRT files to CER files (CRT and CER must be the same encoded, der, or Pem). Files with the extension CER can be recognized by IE and invoked as a command by Microsoft's CryptoAPI (specifically, Rudll32.exe Cryptext.dll, Cyrptextopencer), which in turn pops up a dialog box to import and/or view the contents of the certificate. Key = Extension key is used for PCSK#8 public and private keys. These public and private keys can be either DER-encoded or PEM-encoded.

CRT files and CER files can be safely substituted for each other only when the same encoding is used.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

Tags Index: