Those related to certificates (SSL,X.509,PEM,DER,CRT,CER,KEY,CSR,P12, etc.) [ZZ]

Source: Internet
Author: User
Tags openssl rsa openssl x509 pkcs12 pfx file

Those related to certificates (SSL,X.509,PEM,DER,CRT,CER,KEY,CSR,P12, etc.) [ZZ]
Reprinted <javascript:;> 2015-06-09 20:21:04
These concepts related to certificates are really tricky because they haven't been exposed to certificate encryption before, because there's a whole new term coming up that looks like something else in another field, not something that we're familiar with in the programming world, at least I personally feel, And for a long time did not understand how. The purpose of writing this article is to clarify these concepts, to understand their meaning and relevance, and to have some basic operations.
Ssl-secure Sockets Layer, it should now be called "TLS", but because of the habit problem, we still call "SSL" more. The HTTP protocol is not encrypted by default, so it is likely to be monitored by others when the content is propagated, and for high security requirements, Must be encrypted, HTTPS is an encrypted HTTP protocol, and HTTPS encryption is based on SSL, it performs a lower level of encryption, that is, before the encryption, your server program is doing, after encryption is also doing, do not move, this encryption for users and developers are transparent. more:[Wikipedia
OpenSSL-Simply put, OpenSSL is an implementation of SSL, SSL is just a specification. In theory, SSL is a safe specification, and the current level of technology is difficult to crack, but SSL implementations may have some loopholes, such as the famous "Bleeding Heart". OpenSSL also offers a large stack of powerful tool software that we can't use until 90%.
Certificate standards
-This is a certificate standard that defines exactly what should be included in the certificate. The details can refer to the certificate standard used by RFC5280,SSL.
Encoding format
The same certificate may have different encoding formats, and there are currently two encoding formats available.
Pem-privacy Enhanced Mail, open the text format to start with "-----begin ...", End with "-----end ..." and the content is BASE64 encoded. View information about the PEM format certificate: OpenSSL x509-in Certificate.pem-text-nooutapache and *nix servers tend to use this encoding format.
der-distinguished Encoding Rules, open look is binary format, unreadable. View der Format certificate information: OpenSSL x509-in certificate.der-inform Der-text-nooutja VA and Windows servers tend to use this encoding format.
Related file extensions
This is a more misleading place, although we already know the two encoding formats Pem and Der, but the file extension is not necessarily called "Pem" or "Der", the common extensions in addition to PEM and Der also have the following, they in addition to the encoding format may be different, the content also differs, But most of them can convert each other to the encoding format.
CRT-CRT should be the certificate three letters, in fact, the meaning of the certificate, common in the *nix system, there may be PEM encoding, may also be DER Encoding, most should be PEM encoding, I believe you already know how to distinguish.
CER-or certificate, or a certificate, common to Windows systems, the same may be PEM-encoded, or DER-encoded, most of which should be DER-encoded.
Key-usually used to hold a public key or private key, not a certificate of the number of certificates, the same encoding, possibly a PEM, or der. To view key: OpenSSL rsa-in mykey.key-text-noout if it's Der format, that's the same thing. : OpenSSL rsa-in Mykey.key-text-noout-inform der
Csr-certificate Signing request, which is not a certificate, but a request to obtain a signed certificate from an authoritative certification authority, the core of which is a public key (and, of course, some other information), when the application is generated, It will also generate a private key, and the private key should be kept in its own right. Friends who have done iOS app should know how to apply for a developer certificate from Apple. View the method: OpenSSL req-noout-text-in MY.CSR (if it is der Format, plus-inform Der, it's not written here.)
Pfx/p12-predecessor of pkcs#12, for *nix servers, the general CRT and key are stored separately in separate files, but Windows IIS will have them in a PFX file (so this file contains the certificate and the private key) Wouldn't that be safe? No, PFX usually has an "extract password", and if you want to read it out, it asks you to provide the extraction password, the DER encoding used by the PFX, and how to convert the PFX to PEM encoding? OpenSSL pkcs12-in for-iis.pfx-out For-iis.pem-nodes This time you will be prompted to enter the extraction code. FOR-IIS.PEM is a readable text. The command to generate a PFX is similar to this: OpenSSL pkcs12-export-out certificate.pfx-inkey privatekey.key-in certificate.crt- CertFile CACERT.CRT where cacert.crt is the root certificate of the CA (authoritative certification authority), and is also brought in with the-certfile parameters. So, PFX is actually a certificate keystore.
JKS-Java Key Storage, which is a Java patent, is not related to OpenSSL, the use of a Java called "Keytool" tool, you can convert PFX to JKS, of course, Keytool can also be directly generated JKS, but there are not many tables.
Conversion of certificate encoding
Pem to der OpenSSL x509-in cert.crt-outform der-out Cert.der
Der to Pem OpenSSL x509-in cert.crt-inform der-outform pem-out Cert.pem
(Hint: To convert the key file is similar, but the X509 converted to RSA, to turn CSR, the X509 replaced req ...)
Get a certificate
Request a certificate from an authoritative certification authority
Use this command to generate a csr:openssl req-newkey rsa:2048-new-nodes-keyout my.key-out MY.CSR the CSR to the authoritative certification authority, the authoritative certification authority to sign this, complete. Maintain a good CSR, You can also use the same CSR to request a new certificate when the certificate issued by the authoritative certification authority expires, and the key remains unchanged.
Or generate a self-signed certificate OpenSSL req-newkey rsa:2048-new-nodes-x509-days 3650-keyout key.pem-out Cert.pem in the process of generating a certificate will ask you to fill in a bunch of things, actually to fill Only common name, usually fill in your server domain name, such as "", or your server's IP address, others can be left blank. Do not use self-signed certificates in the production environment, or the browser will not recognize Or if you are an enterprise application, you can force the user's browser to accept your self-visa book. It's usually money to get a certificate from an authority, but now it's free, just a simple domain verification. If you are interested, check out the "Wosign digital certificate".

Those related to certificates (SSL,X.509,PEM,DER,CRT,CER,KEY,CSR,P12, etc.) [ZZ]

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.