Some basic knowledge about CA certificates

Description: 1 and 2 are mainly from Apple documents, 3 and 4 are mainly from Internet search results.

1, the format of the certificate

Certificates (such as the root certificate of a CA) are usually in two formats

(1) binary format, commonly used in the password toolset such as OS X and the security framework for the platform. Certificates in binary format have many names (including Ber, DER, CER, and so on), which correspond to a number of extension names (. CER,. DER,. CRT, and so on).

(2) Text format, generally used for the OpenSSL toolset. The certificate name in text format is PEM, and the standard extension name is. PEM, but the Pem file may not only save the certificate (PEM files can hold more than just certificates), A PEM file that simply holds the certificate typically has a. crt extension.

Note: As can be seen from the above instructions, the. CRT can be used in both binary and text formats.

The OpenSSL command-line tool can be used to format the conversion certificate. For example, the command to convert a certificate from a binary format to a text format is

$ OpenSSL x509-inform der-in mouseca.cer-out Mouseca.pem

2, the format of digital identity

The digital identities exported in the keychain of a Mac computer are typically formatted as personal information Exchange (. p12), which is sometimes directly required. But sometimes it needs other formats, such as using a certificate and a private key for two PEM files when configuring Apache (the certificate typically goes IN/ETC/APACHE2/SERVER.CRT and the Private key goes In/etc/apache2/server.key), you need to convert the format.

The OpenSSL command-line tool can also be used to convert the format of a digital identity, with the following command:

$ # First extract the server certificate.
$
$ openssl pkcs12-in "deep thought.p12"-nokeys-out server.crt
Enter Import Password: * * *
MAC verified ok< c4/>$
$ # Next Extract the server private key.
$
$ openssl pkcs12-in "deep thought.p12"-nocerts-nodes-out server.key
Enter Import Password: * * *
MAC Veri Fied OK

Note: (1) The conversion process needs to enter the password of the P12 file;

(2) If you want to keep the key secure, the above conversion is best done on the Web server so that during the transfer the key can be protected by the password of the P12 file.

3. Certificate Type:

There are two types of X509 certificate encoding formats
1.PEM (privacy-enhanced Electronic Mail) is in clear text format beginning with-----begin CERTIFICATE-----, ending-----end CERTIFICATE-----. The middle is the base64 encoded content, the certificate that Apache needs is this kind of encoded certificate the command to view the information for this type of certificate is: OpenSSL x509-noout-text-in Server.pem
In fact, PEM is a base64 encoding of Der Content.
2.DER is a binary-format certificate the command to view information for this type of certificate is: OpenSSL x509-noout-text-inform der-in Server.der

4. Extension:
The. CRT certificate file, which can be either Der (binary) encoded or PEM (ASCII (BASE64)) encoded, is more common in Unix-like systems
. CER is also a certificate common to Windows system encoding types can also be der or PEM, and Windows has tools to convert CRT to CER
The CSR certificate signing request is typically sent to the CA after the build request, and then the CA will sign you back to the certificate
. Key the general public key or key will be used with this extension, can be DER encoded or PEM-encoded to view DER Encoded (public key or key) of the file command for OpenSSL rsa-inform der-noout-text-in xxx.key view P The command for an EM-encoded (public key or key) file for OpenSSL rsa-inform pem-noout-text-in Xxx.key
The. P12 certificate contains a X509 certificate and a password-protected private key

5. Noun explanation

X509 Certificate: Certificate Digital (also certificate)-A specific type of digital certificate. The only type of certificate that's relevant to TLS.

Reference Document: Creating certificates for TLS Testing

Self-signed certificate and self-built certificate