SSL Certificate
What is SSL Certificate
An SSL Certificate is essentially an X.509 certificate. X.509 is a standard that defines the structure of the certificate. It defines the data fields that should be included in the SSL certificate. X.509 uses a formal language called Abstract Syntax Notation One (ASN.1) to express the certificate’s data structure.
There are different formats of X.509 certificates such as PEM, DER, PKCS#7 and PKCS#12. PEM and PKCS#7 formats use Base64 ASCII encoding while DER and PKCS#12 use binary encoding. The certificate files have different extensions based on the format and encoding they use.
The X.509 Certificate’s encoding formats and file extensions
![](https://taogenjia.com/img/ssl-certificate/ssl-certificate-format.png)
Web Servers and SSL certificate formats
Tomcat: Keystore (.jks) with PKCS#7 (.p7b) Format
Apache: PEM (.crt+.key)
Nginx: PEM (.pem+.key)
IIS: PKCS#12 (.pfx)
JKS: Keystore
Generate a Self-Signed Certificate
OpenSSL
# interactive |
Enter PEM pass phrase: |
# non-interactive and 10 years expiration |
openssl req
PKCS#10 X.509 Certificate Signing Request (CSR) Management.
Required options
-x509
: Output a x509 structure instead of a cert request (Required by some CA’s)-newkey val
: Specify as type:bits. (key algorithm and key size). For example,-newkey rsa:4096
-keyout outfile
: File to send the key to (private key)-out outfile
: Output file (certificate)-days +int
: Number of days cert is valid for-*
: Any supported digest. For example,-sha256
Optional options
-nodes
: Don’t encrypt the output key.-subj val
: Set or modify request subject. (non-interactive). For example,-subj "/C=XX/ST=StateName/L=CityName/O=CompanyName/OU=CompanySectionName/CN=CommonNameOrHostname"
Extract Public Key From SSL Certificate
OpenSSL
openssl x509 -pubkey -in cert.pem -noout -out public_key.pem |
openssl x509
X.509 Certificate Data Management.
Options
-pubkey
: Output the public key-in infile
: Input file - default stdin-out outfile
: Output file - default stdout-noout
: No output, just status. (Don’t append certificate to output public key file.)
Verify public key and private key
Creating a signed digest of a file:
openssl dgst -sha512 -sign private_key.pem -out digest.sha512 file.txt |
Verify a signed digest:
openssl dgst -sha512 -verify public_key.pem -signature digest.sha512 file.txt |
Convert SSL certificate formats
OpenSSL
OpenSSL Convert PEM
Convert PEM(.pem) to DER(.der)
openssl x509 -outform der -in certificate.pem -out certificate.der |
Convert PEM(.cer) to PKCS#7(.p7b)
openssl crl2pkcs7 -nocrl -certfile certificate.cer -out certificate.p7b -certfile CACert.cer |
Convert PEM(.crt) to PKCS#12(.pfx)
openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt |
OpenSSL Convert DER
Convert DER(.cer) to PEM(.pem)
openssl x509 -inform der -in certificate.cer -out certificate.pem |
OpenSSL Convert P7B
Convert PKCS#7(.p7b) to PEM(.cer)
openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer |
Convert PKCS#7(.p7b) to PKCS#12(.pfx)
openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer |
OpenSSL Convert PFX
Convert PKCS#12(.pfx) to PEM(.cer)
openssl pkcs12 -in certificate.pfx -out certificate.cer -nodes |
Java Keystore
keytool -genkeypair
: to generated a key pair and a self-sign certificate in a keystore file
keytool -genkeypair -keysize 1024 -alias herong_key \ |
What is your first and last name? |
Import
-importcert/-import
// Installing the Self-Signed Certificate on the Client |
-importcert -trustcacerts
// Importing a CA-Signed Certificate |
Export
-exportcert/-export: to export the certificate in DER format.
keytool -exportcert -alias herong_key -keypass keypass \ |
-exportcert -rfc: to export the certificate in PEM format.
keytool -exportcert -alias herong_key -keypass keypass \ |
Copy
Move SSL Certificate to another JKS Keystore
"C:\Program Files\Java\jre7\bin\keytool.exe" -importkeystore -srckeystore "D:\source-keystore.jks" -destkeystore "D:\destination-keystore.jks" -srcstorepass password -deststorepass password -srcalias "www.mysecuresite.com" |
References
OpenSSL
SSL Certificate
Conversion
Java Keystore
- The keytool Command
- Creating, Exporting, and Importing SSL Certificates
- “keytool” Exporting Certificates in DER and PEM
Nginx
Tomcat