OpenSSL digital certificate common format and protocol introduction

Source: Internet
Author: User
Tags base64 begin rsa private key openssl pkcs12 pkcs7 microsoft iis pfx file

The main file types and protocols for certificates are: PEM, DER, PFX, JKS, KDB, CER, Key, CSR, CRT, CRL, OCSP, SCEP, etc.

Pem–openssl uses the PEM (privacy enhanced Mail) format to hold various information, which is the default way of storing information in OpenSSL. The PEM file in Openssl generally contains the following information: Content type: Indicates what information is stored in this file, which is in the form of "——-BEGIN xxxx--" and corresponds to the end of "--end xxxx--". Header information: Indicates that the data is stored if it is processed, OpenSSL uses the most encryption information, such as encryption algorithm and initialization Vector IV. Information body: Data encoded for BASE64. You can include all private keys (RSA and DSA), public key (RSA and DSA), and (X509) certificates. It stores the DER format data encoded in Base64, surrounded by an ASCII header, and is therefore suitable for text-mode transmission between systems.

Certificates stored in PEM format:
-–begin certificate-–
-–end certificate-–
Private key stored in PEM format:
-–begin RSA PRIVATE key-–
-–end RSA PRIVATE key-–
Certificate request file stored in PEM format:
-–begin Certificate request-–
-–end Certificate request-–

The der– Identification Code rule (DER) can contain all private keys, public keys, and certificates. It is the default format for most browsers and is stored in ASN1 DER format. It is no header-the PEM is surrounded by text headers DER.
The PFX or p12– public key Encryption Standard #12 (PKCS#12) can contain all private keys, public keys, and certificates. It is stored in binary format, also known as a PFX file. You can typically merge the "key file + CRT file" format that APACHE/OPENSSL uses into a standard PFX file, and you can import the PFX file format into Microsoft IIS 5/6, Microsoft ISA, Microsoft Exchange Server, and so on. You need to enter the encrypted password for the PFX file when converting.
jks– can typically convert the "Key file + CRT file format" used by APACHE/OPENSSL to a standard Java Key Store (JKS) file. JKS file format is widely used in Java-based Web servers, application servers, middleware. You can import JKS files into Tomcat, WEBLOGIC, and other software.
kdb– can typically convert the "key file + CRT file" format used by APACHE/OPENSSL to a standard IBM KDB file. The KDB file format is widely used in IBM Web servers, application servers, and middleware. You can import KDB files into software such as IBM HTTP Server, IBM Websphere, and so on.
CSR-Certificate Request file (certificate signing requests). Before generating a X509 digital certificate, the certificate request file is typically submitted by the user and then issued by the CA. The general process is as follows (the format standard for X509 certificate requests is pkcs#10 and rfc2314): The user generates their own public key pair; Construction of their own certificate application documents, in line with PKCS#10 standards. This file mainly includes the user information, the public key and some optional attribute information, and uses its own private key to sign the content; The user submits the certificate request file to the CA; The CA verifies the signature, extracts the user information, and adds other information (such as the issuer, etc.), and uses the CA's private key to issue a digital certificate; Description: A digital certificate (such as X.509) is a carrier of information that binds a user (or other entity) to the public key. A legal digital certificate should not only conform to the X509 format specification, but must also have a CA signature. Users not only have their own digital certificates, they must also have a corresponding private key. X509v3 digital certificates include: Certificate version, certificate serial number, Signature algorithm, issuer information, valid time, holder information, public key information, issuer ID, Holder ID, and extension.

The ocsp– Online Certificate Status Protocol (Ocsp,online certificate status protocol,rfc2560) is used to indicate the status of a certificate in real time. OCSP clients Query OCSP services to determine the status of a certificate, can provide users with one or more digital certificates of validity data, it establishes a real-time response mechanism, so that users can confirm the validity of each certificate in real time, solve the security problems caused by the CRL. OCSP can be implemented through the HTTP protocol. rfc2560 defines the message format for OCSP clients and service-side.
CER-generally refers to the use of a certificate in der format.
CRT-Certificate file. can be in PEM format.
Key-generally refers to the private key file in PEM format.
CRL-A certificate revocation list (Certification Revocation list) is a signature data structure that contains a list of revoked certificates. CRLs are published forms of certificate revocation status, and CRLs are like blacklist of credit cards that are no longer valid for publishing certain digital certificates. A CRL is an offline certificate status information. It is updated in a certain period of time. CRLs can be divided into full CRLs and delta CRLs. All the revoked certificate information is included in the complete CRL, and the delta CRL is a series of CRLs that indicate the revoked certificate information, and each CRL that is published is an incremental expansion of the previously published CRL. The basic CRL information is: The serial number of the revoked certificate, the revocation time, the revocation reason, the signer, and the CRL signature. CRL based authentication is a kind of less stringent certificate authentication. A CRL can prove that the revoked certificate in the CRL is invalid. However, it cannot give the status of a certificate that is not in the CRL. If the implementation of strict certification, the need to use online authentication, that is, OCSP certification. Typically a set of electronic documents signed by a CA, including a unique identification of the revoked certificate (the certificate serial number), which is used to list the digital certificates that have expired or been revoked. It is updated every once in a while, so the list must be downloaded regularly to get the latest information.
SCEP-Simple Certificate Enrollment protocol. File-based certificate enrollment requires copying and pasting text files from your local computer to the Certificate Publishing center, and copying and pasting from the Certificate Publishing center to your local computer. SCEP can handle this process automatically, but CRLs still need to manually copy and paste between the local computer and the CA Publishing Center.
pkcs7– Cryptographic Message Syntax (PKCS7) is a format standard for various message storage. These messages include: data, signature data, digital envelopes, signed digital envelopes, digest data, and encrypted data.
The PKCS12–PKCS12 (Personal digital certificate standard) is used for storing user certificates, CRLs, user private keys, and certificate chains. The private key in the PKCS12 is stored encrypted.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.