{"id":1299,"date":"2011-11-11T15:39:16","date_gmt":"2011-11-11T15:39:16","guid":{"rendered":"http:\/\/mccltd.net\/blog\/?p=1299"},"modified":"2014-03-06T17:08:59","modified_gmt":"2014-03-06T17:08:59","slug":"ssl-certificates-and-encoding","status":"publish","type":"post","link":"http:\/\/darenmatthews.com\/blog\/?p=1299","title":{"rendered":"SSL Certificates and Encoding"},"content":{"rendered":"

At its core an X.509 certificate is a digital document that has been encoded and\/or digitally signed according to RFC 5280.<\/p>\n

In fact, the term X.509 certificate<\/em> usually refers to the IETF\u2019s PKIX Certificate and CRL<\/a> Profile of the X.509 v3 certificate standard, as specified in RFC 5280<\/a>, commonly referred to as PKIX for Public Key Infrastructure (X.509)<\/em>.\u00a0 (See this post<\/a> for an explanation of the SSL\/TLS Handshake and Record Protocols)<\/em>.<\/p>\n

X509 File Extensions<\/h2>\n

The first thing we have to understand is what each type of file extension is.\u00a0\u00a0 There is a lot of confusion about what DER, PEM, CRT, and CER are and many have incorrectly said that they are all interchangeable.\u00a0 While in certain cases some can be interchanged the best practice is to identify how your certificate is encoded and then label it correctly.\u00a0 Correctly labeled certificates will be much easier to manipulat<\/p>\n

Encodings (also used as extensions)<\/h3>\n

To understand how to convert one certificate from one format to another it\u2019s useful to understand how to identify the formats:<\/p>\n

    \n
  • Privacy Enhanced Mail (PEM)<\/strong> \u2013 This is one of the most common formats you will see, its easily identifiable because it always starts and ends with \u201cPEM Armor\u201d, this is a header and a footer that declares what is in-between them. For example:<\/li>\n<\/ul>\n
     ----BEGIN CERTIFICATE----\r\n -----END CERTIFICATE-----\r\n Or\r\n -----BEGIN PRIVATE KEY-----\r\n -----END PRIVATE KEY-----\r\n Or\r\n -----BEGIN PKCS7-----\r\n -----END PKCS7----<\/pre>\n
      \n
    • \u00a0\u00a0\u00a0 PKCS #7 B (P7B)<\/strong> \u2013 This format lets you represent a set of certificates, for example a certificate chain might be encoded as a P7B.<\/li>\n
    • \u00a0\u00a0\u00a0 PKCS #12\/PFX\/P12<\/strong> \u2013 This format lets you put a private key and a certificate into a single file.<\/li>\n
    • \u00a0\u00a0\u00a0 Base64<\/strong> \u2013 In the PEM format you will see a sequence of ASCII characters, this is Base64 encoded binary data.<\/li>\n
    • \u00a0\u00a0\u00a0 Distinguished Encoding Rules (DER)<\/strong> \u2013 This is a binary format commonly used to represent certificate related data.<\/li>\n<\/ul>\n
        \n
      • .DER<\/span> = The DER extension is used for binary DER encoded certificates. These files may also bear the CER or the CRT extension.\u00a0\u00a0 Proper English usage would be \u201cI have a DER encoded certificate\u201d not \u201cI have a DER certificate\u201d.<\/li>\n
      • .PEM<\/span> = The PEM extension is used for different types of X.509v3 files which contain ASCII (Base64) armored data prefixed with a \u201c\u2014\u2013 BEGIN \u2026\u201d line.<\/li>\n<\/ul>\n
        Common Extensions<\/h3>\n
          \n
        • .CRT<\/span> = The CRT extension is used for certificates. The certificates may be encoded as binary DER or as ASCII PEM. The CER and CRT extensions are nearly synonymous.\u00a0 Most common among *nix systems<\/li>\n
        • CER<\/span> = alternate form of .crt (Microsoft Convention) You can use MS to convert .crt to .cer (.both DER encoded .cer, or base64[PEM] encoded .cer)\u00a0 The .cer<\/strong> file extension is also recognized by IE as a command to run a MS cryptoAPI command (specifically rundll32.exe cryptext.dll,CryptExtOpenCER) which displays a dialogue for importing and\/or viewing certificate contents.<\/li>\n
        • .KEY<\/span> = The KEY extension is used both for public and private PKCS#8 keys. The keys may be encoded as binary DER or as ASCII PEM.<\/li>\n<\/ul>\n
          The only time CRT and CER can safely be interchanged is when the encoding type can be identical.\u00a0 (ie\u00a0 PEM encoded CRT = PEM encoded CER)<\/p>\n
          Common OpenSSL Certificate Manipulations<\/h2>\n
          There are four basic types of certificate manipulations. View, Transform, Combination , and Extraction<\/p>\n
          View<\/h3>\n
          Even though PEM encoded certificates are ASCII they are not human readable.\u00a0 Here are some commands that will let you output the contents of a certificate in human readable form;<\/p>\n
          <\/div>\n
          View PEM encoded certificate<\/h4>\n
          Use the command that has the extension of your certificate replacing cert.xxx with the name of your certificate<\/p>\n
          openssl x509 -in cert.pem -text -noout\r\nopenssl x509 -in cert.cer -text -noout\r\nopenssl x509 -in cert.crt -text -noout<\/pre>\n
          If you get the folowing error it means that you are trying to view a DER encoded certifciate and need to use the commands in the \u201cView DER encoded certificate\u00a0 below\u201d<\/p>\n
          unable to load certificate\r\n12626:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:647:Expecting: TRUSTED CERTIFICATE<\/pre>\n
          View DER encoded Certificate<\/h4>\n
          openssl x509 -in certificate.der -inform der -text -noout<\/pre>\n
          If you get the following error it means that you are trying to view a PEM encoded certificate with a command meant for DER encoded certs. Use a command in the \u201cView PEM encoded certificate above<\/p>\n
          unable to load certificate\r\n13978:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1306:\r\n13978:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:380:Type=X509<\/pre>\n
          Transform<\/h3>\n
          Transforms can take one type of encoded certificate to another. (ie. PEM To DER conversion)<\/p>\n
          PEM to DER<\/h4>\n
          openssl x509 -in cert.crt -outform der -out cert.der<\/pre>\n
          DER to PEM<\/h4>\n
          openssl x509 -in cert.der -inform der -outform pem -out cert.pem<\/pre>\n
          PKCS#12\u00a0(.pfx .p12)\u00a0containing a private key and certificates to PEM<\/h4>\n
          openssl pkcs12 -in keyStore.pfx -out keyStore.pem -nodes<\/pre>\n
          (You can add -nocerts to only output the private key or \r\n add -nokeys to only output the certificates)<\/pre>\n
          PEM certificate file and a private key to PKCS#12 (.pfx .p12)<\/h4>\n
          openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key \r\n-in certificate.crt -certfile CACert.crt<\/pre>\n
          Combination<\/h3>\n
          In some cases it is advantageous to combine multiple pieces of the X.509 infrastructure into a single file.\u00a0 One common example would be to combine both the private key and public key into the same certificate.<\/p>\n
          The easiest way to combine certs keys and chains is to convert each to a PEM encoded certificate then simple copy the contents of each file into a new file.\u00a0\u00a0 This is suitable for combining files to use in applications lie Apache.<\/p>\n
          Extraction<\/h3>\n
          Some certs will come in a combined form.\u00a0 Where one file can contain any one of: Certificate, Private Key, Public Key, Signed Certificate, Certificate Authority (CA), and\/or Authority Chain.<\/p>\n","protected":false},"excerpt":{"rendered":"
          At its core an X.509 certificate is a digital document that has been encoded and\/or digitally signed according to RFC 5280. In fact, the term X.509 certificate usually refers to the IETF\u2019s PKIX Certificate and CRL Profile of the X.509 v3 certificate standard, as specified in RFC 5280, commonly referred to as PKIX for Public […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[13],"tags":[56],"_links":{"self":[{"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/1299"}],"collection":[{"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1299"}],"version-history":[{"count":11,"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/1299\/revisions"}],"predecessor-version":[{"id":2019,"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/1299\/revisions\/2019"}],"wp:attachment":[{"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1299"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1299"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1299"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}