Keystore
The storage file of the public key. The party that owns this certificate uses this document to prove itself. For example, the server proves itself to the client that the server has bound this file. When the client initiates a request to the server, the server generates this file (the specific process is not understood and may be incorrect) to prove that the file is sent to the client, the client performs verification.
Keytool-genkey-v-alias tomcat-keyalgrsa-validity 3650-keystore
C: \ tomcat. keystore-Dname "cn = localhost, ou = Cn, O = Cn, L = Cn, St = Cn, c = cn"-storepass password-keypass Password
CER
Files exported by keystore and other certificates only include certificates and public keys. This type of file is generally used to import the file to the party performing the verification to match the certificate issued by the other party. For example, the CER file can be imported to the browser by double-clicking under Windows. The browser will use this file to verify the certificate sent by the server.
Keytool-export-alias tomcat-keystorec: \ tomcat. keystore-file c: \ tomcat. cer-storepass Password
CRT
Similar to Cer. Difference (Baidu) is CRTFiles may be in binary or text format, and should be mostly in text format; CER is generally binary. This file can also be imported by double-clicking under windows.
Truststore
It evolved from CER (or other files with the same functions) through commands. The executed function should be similar to the CER file. CER and so on are mostly used by IE and other browsers, while truststore is mostly used by the party who needs to perform the verification function when writing code, such as the HTTPS function of httpclient. Note that the following uses-keystore to generate a truststore.
Keytool-import-file ../Server/server. cer-keystoreclient. truststore-alias Server
P12
Similar functionsKeystore. HTTPS mutual authentication is generally required. The client verifies that the server uses keystore, and the server uses p12 to verify the client, in Windows, you can directly double-click the import option, but the keystore does not work. (when two-way authentication is performed, if the client is in windows, two files CER and p12 must be imported, CER is used for verification, p12 is used for verification ). In non-Windows environments, it is also feasible to bind a client to a keystore when the server verifies the client. The following command shows that only storetypepkcs12 is added for the keystore generation and p12 generation commands.
Keytool-genkey-v-alias mykey-keyalg RSA
-Storetype PKCS12-Validity3650-keystore c: \ My. p12-dname "cn = mykey, ou = Cn, O = Cn, L = Cn, St = Cn, c = cn"-storepass password-keypasspassword
Jks
Java key store, which is generally used in Java environments. However, its functions are exactly the same as those of the keystore, but they only have a suffix. In fact, it is the keystore of different formats. Sometimes you need to specify the keystore format when reading these files, and then specify jks or PKCS12 so that the program can use the correct API to interpret them.
Keytool-keystore tomcat. jks-keypass 222222-storepass 222222-alias tomcat-genkey-keyalg RSA-dname "cn = servername, ou = servers, O = abcom"
Others (transferred from Baidu ):
PKCS stands for public-key cryptography standards. It is a series of standards developed by the RSA lab and other security system developers to Promote the Development of public key cryptography. PKCS has published 15 standards. Commonly used:
PKCS #7 cryptographic message syntax Standard
PKCS #10 certification request Standard
PKCS #12 Personal Information Exchange syntax Standard
X.509 is a common certificate format. All certificates comply with international ITU-TX509 Standards for Public Key Infrastructure (PKI.
PKCS #7 common suffixes:. p7b. p7c. SPC
PKCS #12 common suffixes include. p12. pfx
The suffix of X.509 DER encoding (ASCII) is. Der. Cer. CRT.
The suffix of X.509 Pam encoding (base64) is. pem. Cer. CRT.
. Cer/. CRT is used to store certificates. It is in binary format and does not contain private keys.
The difference between. PEM and CRT/CER is that it is represented in ASCII.
Pfx/P12 is used to store the Personal Certificate/private key. It usually includes a password, which is in the binary mode.
P10 is a certificate request
P7r is the CA's reply to the certificate request and is only used for Import
P7b displays the certificate chain in a tree. It also supports a single certificate without the private key.
------
Xiaomei note:
Der and CER files are generally in binary format. They only contain certificates and do not contain private keys.
The CRT file may be in binary or text format. It should be mostly in text format and has the same function as der/Cer.
PEM files are generally in the text format. Certificates, private keys, and
If PEM only contains the private key, it is generally used with the. Key extension and can be password protected.
The pfx and p12 files are in binary format and contain both the private key and certificate. They usually have a protected password.
How can I determine whether the format is text or binary? Open it in Notepad. If it is a regular number or letter, such
-- Begin certificate --
Miie9jcca96gawibagiqvxd9wgivhjm // a3vicdjanbgkqhkig9w0baqufadby
-- End certificate --
It is text. The above begin certificate indicates that this is a certificate.
If it is -- begin RSA private key --, it indicates that this is a private key.
The private key in text format may also be password protected
How does text format become binary? From the program perspective, remove the front and back -- rows, remove the carriage return, and use base64 to decode the remaining rows to obtain binary data.
However, you generally use the command line OpenSSL to complete this job.
-----
Use OpenSSL to create the RSA key for the CA certificate (in PEM format ):
OpenSSL genrsa-des3-out ca. Key 1024
Use OpenSSL to create a CA certificate (in PEM format, if the validity period is one year ):
OpenSSL req-New-X509-days 365-key ca. Key-out ca. CRT-config OpenSSL. CNF
OpenSSL can generate a CA certificate in der format. It is best to use IE to convert a CA certificate in PEM format to a CA certificate in der format.
Trix509 to pfx
PKCS12-export-in keys/client1.crt-inkey keys/client1.key-outkeys/client1.pfx
The CA. Key in the PEM format is converted to the PVK format that Microsoft can recognize.
PVK-in CA. Key-out ca. PVK-nocrypt-topvk
Conversion from PKCS #12 to PEM
OpenSSL PKCS12-nocerts-nodes-in CERT. p12-out private. pem
Verify OpenSSL PKCS12-clcerts-nokeys-in CERT. p12-outcert. pem
6. Extract the private key format file (. Key) from the pfx Format File)
OpenSSL PKCS12-In mycert. pfx-nocerts-nodes-out mycert. Key
Convert PEM to SPC
OpenSSL crl2pkcs7-nocrl-certfile Venus. pem-outform der-Out Venus. SPC
Use-outform-inform to specify the DER or Pam format. For example:
OpenSSL X509-in CERT. pem-inform PEM-out cert. Der-outform der
Convert eight PEM to PKCS #12,
OpenSSL PKCS12-export-in CERT. pem-out cert. p12-inkey key. pem
I will try again:
For one party in https, there are three elements in total: Public Key/private key pair, certificate used to verify others' certificates, and certificate for others' verification. These three files can have different combinations according to different scenarios, but they are generally put in one file by the Public Key/private key pair + certificate verified by others, the certificate used to verify others' certificates is in one file; there is also a form that all three elements are in one file (such as P12) file. But I have never seen three files.