Different types of digital certificates

Source: Internet
Author: User
Tags openssl pkcs12 rfc pfx file

The certificate file for a CER suffix has two encodings-->der binary encoding or BASE64 encoding (i.e.. PEM)

P7B is typically a certificate chain, which includes 1 to multiple certificates
A PFX is a certificate stored in pkcs#12 format and the corresponding private key.

In security programming, there are several typical password interchange information file formats:
der-encoded certificate:. CER,. crt
Pem-encoded message:. PEM
pkcs#12 Personal Information Exchange:. PFX,. P12
PKCS#10 certification Request:. P10
PKCS#7 cert Request response:. p7r
PKCS#7 binary message:. p7b

. CER/.CRT is used for storing certificates, which are stored in the form of 2 and do not contain private keys.
The difference between PEM and Crt/cer is that it is represented in ASCII.
PFX/P12 is used to store personal certificates/private keys, he usually contains protection password, 2
P10 is a certificate request
P7R is the CA's reply to a certificate request, which is used only for import
P7B Displays the certificate chain (certificate chain) as a tree, and also supports a single certificate, excluding the private key.

Among them, I describe how to extract the key pair and its length from the p12/pfx file:
1, first, read the Pfx/p12 file (need to provide protection password)
2, by alias (alias, note that all the information items in the certificate are extracted through the alias) extract the certificate chain you want to analyze
3, and then convert it to a X509 certificate structure body
4, extract the items inside, if your certificate entries are placed first (single certificate), read directly x509certs[0] (see the code below) this X509Certificate object
There are many ways to 5,x509certificate objects,tain198127Users want to read the RSA key (Public private key) and its length (see http://www.matrix.org.cn/thread.shtml?topicid=43786&forumid=55& #reply), that's very easy. ,
X509Certificate keypaircert = x509certs[0];
int ikeysize = X509certutil.getcertificatekeylength (Keypaircert);
SYSTEM.OUT.PRINTLN ("certificate Key algorithm =" +keypaircert.getpublickey (). Getalgorithm ());
SYSTEM.OUT.PRINTLN ("certificate Key length =" +ikeysize);
Extracted the information he needed.

X.509 defines two types of certificates: Public key certificates and property certificates
Both Pkcs#7 and pkcs#12 use public key certificates.
A degenerate form of the signeddata of pkcs#7 can distribute public key certificates and CRLs
A signeddata can contain more than one public key certificate
Pkcs#12 can contain a public key certificate and its private key, or it can contain the entire certificate chain


Brief introduction
The Keytool tool with Java is a key and certificate management tool. It enables users to manage their own public/private key pairs and related certificates for (digitally signed) Self authentication (users authenticate themselves to other users/services) or data integrity and authentication services. It also allows users to store their communications counterparts ' public keys (in the form of certificates).

Keytool stores keys and certificates in a so-called key warehouse (KeyStore). The default key warehouse implementation implements the key warehouse as a single file. It uses a password to protect the private key.

Types of Java KeyStore
JKS and JCEKS are two of the more common types of Java KeyStore (KeyStore) (I know a total of 5 kinds, JKS, JCEKS, PKCS12, Bks,uber).

JKS's provider is Sun, which is available in every version of the JDK, and Jceks provider is the sunjce,1.4 we can use directly.

Jceks is stronger at the security level than JKS, and the provider used is Jceks (recommended), especially on the private key in the protection KeyStore (using TripleDES).

PKCS#12 is the public key encryption standard, which stipulates that all private keys, public keys, and certificates can be included. It is stored in binary format, also known as a PFX file, that can be imported directly into the key area in Windows, noting that pkcs#12 's KeyStore protection password is also used to protect key.

BKS from Bouncycastle Provider, which uses tripledes to protect keys in the KeyStore, prevents the certificate store from being accidentally modified (KeyStore's keyentry to get rid of 1 bit errors), BKS can interoperate with JKS, and readers can use Keytool to Trytry.

Uber is more special, when the password is provided through the command line, it can only interact with Keytool. The entire keystore is encrypted via pbe/sha1/twofish, so keystore can be prevented from being misinterpreted, inspected, and validated. Previously, the Sun JDK (the provider for Sun) allowed you to load a keystore directly without providing a password, similar to Cacerts,uber not allowed.

Certificate Import
Der/cer Certificate Import:

To import a certificate from a file, use the-import command for the Keytool tool:

Keytool-import-file Mycert.der-keystore Mykeystore.jks

If you specify a keystore that does not exist in the-keystore option, the key warehouse is created.

If you do not specify the-keystore option, the default key warehouse will be a file named. KeyStore in the host directory. If the file does not exist, it will be created.

When you create a keystore, you are required to enter an access password, which you will need to use later to access. You can use the-list command to view the contents of a key warehouse:

Keytool-list-rfc-keystore Mykeystore.jks


P12 Format Certificate Import:

Keytool cannot import PKCS12 files directly.

The first approach is to use IE to import the PFX certificate and then export it as a cert format file. Use the method described above to import it into the KeyStore. In this case, the warehouse contains only certificate information, no private key content.


The second method is to import the PFX file into IE browser and then export to a PFX file.
The newly generated PFX cannot be imported into KeyStore, error: Keytool: java.lang.Exception: The input is not a X.509 authentication. The newly generated PFX file can be used as a keystore. But it'll make a mistake. As unknown attr1.3.6.1.4.1.311.17.1, check the data, said IE export will be so, using Netscape will not have this error.

The third approach is to use a PFX file as a keystore. However, a PFX file generated through Microsoft's Certificate Management console cannot be used directly. Keytool do not recognize this format, reported Keytool error: java.io.IOException:failed to decrypt safe contents entry. needs to be converted by OpenSSL:

1) OpenSSL pkcs12-in mycerts.pfx-out Mycerts.pem

2) OpenSSL pkcs12-export-in mycerts.pem-out mykeystore.p12

You can check the contents of the key warehouse by using the Keytool-list command:

Keytool-rfc-list-keystore Mykeystore.p12-storetype PKCS12

Here you need to indicate that the warehouse type is PKCS12 because the default type is JKS. This key warehouse then contains the certificate information as well as the private key information.

P7B Format Certificate Import:

Keytool cannot import p7b files directly.

You need to export the certificate chain rootserver.p7b (including the root certificate) to the root rootca.cer and child rootcaserver.cer.

Import the two certificates into a trusted key warehouse.

Keytool-import-alias rootca-trustcacerts-file Rootca.cer-keystore Testkeytrust.jks

Enter y when you are encountered trusting the certificate prompt

Keytool-import-alias rootcaserver-trustcacerts-file Rootcaserver.cer-keystore Testkeytrust.jks


Summarize:

1 Certificate in P12 format cannot be imported into KeyStore using the Keytool tool

2) The Sun ' s PKCS12 keystore is not very good for certificate support in PFX format generated from IE and other Windows programs.

3 P7B certificate chain can not be directly imported into the KeyStore, you need to export the inside certificate into a CER format, and then import to KeyStore respectively.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.