How to Validate, Determine and Convert Certificates? (Linux)
This article has not been completed yet. However, it may already contain helpful information and therefore it has been published at this stage.
PEM
PEM ("Privacy Enhanced Mail") is the common format for X.509 certificates, CSRs ("Certificate Signing Request"), and cryptographic keys. A PEM file is a text file containing one or more items in Base64 ASCII encoding, each with plain-text headers and footers (e.g. -----BEGIN CERTIFICATE-----
and -----END CERTIFICATE-----
). A single PEM file could contain an end-entity certificate, a private key, or multiple certificates forming a complete chain of trust.
PEM Filename Extensions
PEM files are usually seen with the extensions .crt
, .pem
, .cer
, and .key
(for private keys)
# You can read the contents of a PEM certificate (<file>.cer) using the
# 'openssl' command on Linux or Windows as follows:
openssl x509 -in <file>.cer -text
DER
DER ("Distinguished Encoding Rules") is a binary encoding for X.509 certificates and private keys. Unlike PEM, DER-encoded files do not contain plain text statements such as -----BEGIN CERTIFICATE-----
. DER files are most commonly seen in Java contexts.
DER Filename Extensions
DER-encoded files are usually found with the extensions .der
and .cer
.
# You can't read the contents of a DER certificate (<file>.der) in the
# way as descriped for the PEM certificat. You will get an error if you do so:
openssl x509 -in <file>.cer -text
# You have to use the following 'openssl' command:
openssl x509 -inform der -in <file>.der -text -noout
P7B
PKCS#7 (also known as P7B) is a container format for digital certificates that is most found in Windows and Java server contexts, and usually has the extension .p7b
. PKCS#7 files are not used to store private keys. In the example below, you can see that the PB7- file contains 3 certificates (in this case a complete chain - the server - , intermediate - and root - certificate).
# You can read the contents of a PB7 File (<file>.pb7) using the
# 'openssl' command on Linux or Windows as follows:
openssl pkcs7 -print_certs -in <file>.p7b
PFX
PKCS#12 (also known as PKCS12 or PFX) is a common binary format for storing a certificate chain and private key in a single, encryptable file, and usually have the filename extensions .p12
or .pfx
.
# You can read the contents of a PFX File (<file>.pfx) using the
# 'openssl' command on Linux or Windows as follows:
openssl pkcs12 -info -in <file>.pfx
Certificate conversion
# Conversion of PKCS#12 ( .pfx .p12, typically used on Microsoft Windows)
# files with private key and certificate to PEM (typically used on Linux):
openssl pkcs12 -nodes -in <file>.pfx -out <file>.crt
# PKCS#12 Key Extraction
openssl pkcs12 -in <file>.pfx -out <file>.key -nodes -nocerts
# Conversion of PEM to PKCS#12:
openssl pkcs12 -export -in <file>.crt -inkey <file>.key -out <file>.pfx
# Conversion of PKCS#7 format ( .p7b .p7c ) to PEM:
openssl pkcs7 -print_certs -in <file>.p7b -out <file>.cer
# Conversion of PEM format to PKCS#7:
openssl crl2pkcs7 -nocrl -certfile <file>.crt -out <file>.p7b
# Conversion of DER (.crt .cer or .der) to PEM:
openssl x509 -inform der -in <file>.der -out <file>.pem
# Conversion from PEM to DER format:
openssl x509 -outform der -in certificate.pem -out certificate.cer