OpenSSL use 2 (SSL,X.509,PEM,DER,CRT,CER,KEY,CSR,P12 concept note)

Ssl

SSL -Secure Sockets Layer, it should now be called "TLS", but because of the habit problem, we still call "SSL" more. The HTTP protocol is not encrypted by default, so it is likely to be tapped by others when the content is propagated. For high security requirements, must be encrypted, HTTPS is an encrypted HTTP protocol, and HTTPS encryption is based on SSL, it performs a lower level of encryption, that is, before the encryption, your server program is doing, after encryption is also doing, do not move, This encryption is transparent to both the user and the developer. more:[Wikipedia]

OpenSSL -Simply put, OpenSSL is an implementation of SSL, SSL is just a specification. In theory, SSL is a safe specification, and the current level of technology is difficult to crack, but SSL implementations may have some loopholes, such as the famous "Bleeding Heart". OpenSSL also offers a large stack of powerful tool software that we can't use until 90%.

Certificate standards

-This is a certificate standard that defines exactly what should be included in the certificate. The details can refer to the certificate standard used by RFC5280,SSL.

Encoding format

The same certificate may have different encoding formats, and there are currently two encoding formats available.

PEM -Privacy Enhanced Mail, open See text Format, start with "-----begin ...", End with "-----end ..." and the content is BASE64 encoded.

To view information about a PEM-formatted certificate:

OpenSSL x509-in Certificate.pem-text-noout

Apache and *nix servers tend to use this encoding format.

DER -distinguished Encoding Rules, open look is binary format, unreadable.

To view the information for a der format certificate:

OpenSSL x509-in certificate.der-inform der-text-noout

Java and Windows servers tend to use this encoding format.

Related file extensions

This is a more misleading place, although we already know the two encoding formats Pem and Der, but the file extension is not necessarily called "Pem" or "Der", the common extensions in addition to PEM and Der also have the following, they in addition to the encoding format may be different, the content also differs, But most of them can convert each other to the encoding format.

CRT -CRT should be certificate three letters, in fact, the meaning of the certificate, common in the *nix system, there may be PEM encoding, it may be DER Encoding, most should be PEM encoding, I believe you already know how to distinguish.

CER -or certificate, or a certificate, common to Windows systems, the same may be PEM-encoded, or DER-encoded, most of which should be DER-encoded.

key -usually used to hold a public key or private key, not a certificate of the number of certificates, the same encoding, possibly a PEM, or der.

Ways to view key:

OpenSSL rsa-in Mykey.key-text-noout

In der Format, this should be the case:

OpenSSL rsa-in Mykey.key-text-noout-inform der

CSR -Certificate Signing request, which is not a certificate, but a request to obtain a signed certificate from an authoritative certification authority whose core is a public key (and of course, some other information). When the application is generated, a private key is generated, and the private key is kept in its own right. A friend who has been an iOS app should know how to apply for a developer certificate from Apple.

View the method:

OpenSSL req-noout-text-in MY.CSR (if the DER format is still added-inform der, this is not written here)

PFX/P12 -predecessor of PKCS#12, for the *nix server, the general CRT and key are stored separately in different files, but Windows IIS will have them in a PFX file, ( So this file contains the certificate and the private key, so is it unsafe? No, PFX usually has an "extract password", and if you want to read it out, it asks you to provide the extraction password, the DER encoding used by the PFX, and how to convert the PFX to PEM encoding?

 for for-iis.pem-nodes

This time you will be prompted to enter the extraction code. FOR-IIS.PEM is a readable text.

The command to generate PFX resembles this:

OpenSSL pkcs12-export-in certificate.crt-inkey privatekey.key-out certificate.pfx-certfile CACert.crt

Where CACERT.CRT is the root certificate of the CA (authoritative certification authority), and is also brought in with the-certfile parameter. So, PFX is actually a certificate keystore.

JKS -java Key Storage, which is a Java patent, is not related to OpenSSL, using a Java called "Keytool" tool, you can convert PFX to JKS, of course, Keytool can also directly generate JKS, But there are not many tables here.

Conversion of certificate encoding

Pem converted to der

OpenSSL x509-in cert.crt-outform der-out Cert.der

der converted to Pem

OpenSSL x509-in cert.crt-inform der-outform pem-out Cert.pem

(Hint: To convert the key file is similar, but the X509 converted to RSA, to turn CSR, the X509 replaced req ...)

Get a certificate

Request a certificate from an authoritative certification authority

Use this command to generate a CSR:

OpenSSL req-newkey rsa:2048-new-nodes-keyout my.key-out MY.CSR

Give the CSR to the authoritative certification authority, the authoritative certification authority to sign this, complete. Maintain a good CSR, you can also use the same CSR to apply for a new certificate when the certificate issued by the authoritative certification authority expires, and the key remains unchanged.

Or generate a self-signed certificate

OpenSSL req-newkey rsa:2048-new-nodes-x509-days 3650-keyout key.pem-out Cert.pem

In the process of generating a certificate will ask you to fill a pile of things, in fact, only the common name, usually fill in your server domain name, such as "yourcompany.com", or your server's IP address, the other can be left blank.

In the production environment, do not use self-signed certificates, otherwise the browser will not recognize, or if you are an enterprise application can be forced to let the user's browser accept your self-visa book is also OK. To the authority to get a certificate is usually money, but now there is also free, just need a simple domain validation. Check it out. Wosign digital certificate ".

Original: http://www.cnblogs.com/guogangj/p/4118605.html

OpenSSL use 2 (SSL,X.509,PEM,DER,CRT,CER,KEY,CSR,P12 concept note) (RPM)