I have the same key saved in two jks and cer file. Am I right that for this two key files serial number and certuficate value will be the same but SHA-1 will differ?
The SHA-1 of the file may be different, but the SHA-1 thumbprint of the certificate itself should be the same.
Related
I want to be able to send certificates in my API requests.
Please see - Add certificate on request with RestSharp
As shown in that post. I need to convert .crt and .key to .pfx , however my current certificates are .pem, so I thought I will need to convert them into .crt and .key first and then use the openssl comand used in that post to convert them into .pfx and then carry on with the rest of the solution.
My certificates are -
CRT file -
C:\Users\JohnSmith\Downloads\certsh\client-crt.pem
Key file -
C:\Users\JohnSmith\Downloads\certsh\client-key.pem
I was able to convert the Key file to a .key , but when trying to convert the CRT file I am getting this error.
unable to load certificate 13668:error:0906D06C:PEM routines:PEM_read_bio:no start line:.\crypto\pem\pem_lib.c:697:Expecting: TRUSTED CERTIFICATE error in x509
I am using this command to try and convert the .pem to .crt
x509 -outform der -in client-csr.pem -out client.crt
The extension .pem indicates that the format of the file is PEM (Privacy-Enhanced Mail) (RFC 7468). The content of the file may be a certificate, a private key, a public key, or something else. If you open a PEM file with a text editor, your will see -----BEGIN ?????----- at the top.
The extension .crt implies that the content of the file is a certificate. However, the extension does not tell anything about the file format. The format may be PEM, DER (Distinguished Encoding Rules) (X.690), or something else. If the file contains -----BEGIN CERTIFICATE-----, the format is PEM. On the other hand, if the file contains binary data, it is likely that the format is DER.
The extension .key implies that the content of the file is a private key. However, the extension does not tell anything about the file format. The format may be PEM, DER, or something else. If the file contains -----BEGIN PRIVATE KEY-----, the format is PEM. On the other hand, if the file contains binary data, it is likely that the format is DER.
The string csr, which is a part of the file name client-csr.pem, implies that the content of the file is CSR (Certificate Signing Request). Note that CSR is NOT a certificate. It seems you are trying to convert the file format of client-csr.pem from PEM to DER, but the CSR will never become a certificate by converting the file format. What you should give to the openssl command is not client-csr.pem but client-crt.pem, I think.
Understanding relationship among ASN.1 (X.680), DER (X.690), BASE64 (RFC 4648) and PEM (RFC 7468) will improve the quality of your questions and help you avoid wasting time. I hope that diagrams below excerpted from "Illustrated X.509 Certificate" can help you.
I bought a certificate from a CA and I don't know much about certificates. I need a PEM format certificate to use in dovecot. It could be a fool question as I don't know much about certificates. I got three files from the CA : .ca-bundle .crt .p7b I need both public and private keys
You can use this tool or the OpenSSL commands available in the same page to convert the certificate into PEM.
I'm honestly quite surprised about the files you received. Generally, the CAs already sends you the PEM encoded certificates.
The .ca-bundle and .crt are likely to be the intermediate chain and the server certificate. The .p7b is in general a bundle of both intermediate and server into a single file, if that's the case you can ignore it and use the bundle and crt files.
As for the key, you should have it as the key is used to sign the CSR you provided the CA.
You may also want to check your CA documentation to better understand the content of each these files.
Is it possible to install SSL certificate in Centos (6.5) and apache with just a .pem file? I have been told by the client that they do not have a .crt file or a .key file. It is a wildcard certificate that I need to install in one of the subdomain.
Extensions do not matter.
Usually .crt is used for a certificate in PEM format and .key for the matching key. Both are base64 encoded data with a PEM header like "---- BEGIN CERTIFICATE ---" or "----- BEGIN RSA PRIVATE KEY -----".
But you can put both certificate and key together in a single PEM file and use this inside the certificate and key parameters. But, of course, you have to make sure that your *.pem files really contains both certificate and key.
What is a .dat certificate? Is there any difference between a JKS certificate and a .dat certificate? How can I use the .dat certificate to trust the server side? Is it the same to other certificates?
.dat is just a file extension that tells you nothing useful about the format of the file itself.
There are two types of certificate files in common use: PEM and DER. PEM encodes its data in the form of Base-64 encoded text wrapped in human-readable headers. DER encodes its data in raw binary form. Both formats are capable of encoding the same types of data, but while PEM files can store multiple objects (certificate and key, for instance, or an entire certificate trust chain), DER files are limited to one object per file. Additionally, some applications are designed specifically for one or the other.
Open up your file in a text editor. Is it vaguely human-readable? Then it's a PEM file. Is it garbage? Then it's probably DER.
JKS per se isn't a certificate format; it's a storage format for certificates and keys. One .jks file can potentially store many certificates and keys. Java will expect that you import your certificate into a keystore first; then you can load it into a TrustStore or KeyStore depending on what you need.
Bit of a silly question, but:
What kind of file(s) do you get when you buy an SSL certificate from a trusted CA?
Is there a .pfx file?
I'm working on a small tool to manage SSL certificates, but I'm not sure exactly what kind of certificates I'll be dealing with besides the self-signed ones that I create myself.
Thanks!
.pfx file extension is one. The below text from IBM has some indepth information.
Certificate file types
Certificates and keys are stored in several types of files.
Files that store certificates and keys can have the following formats:
.pem
A privacy-enhanced mail file, which has a file extension of .pem, begins and ends with the following lines:
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
A privacy-enhanced mail format supports multiple digital certificates, including a certificate chain. If your organization uses certificate chaining, use this format to create CA certificates.
.arm
A file with an extension of .arm contains a base-64 encoded ASCII representation of a certificate, including its public key, but not its private key. An .arm format is generated and used by the IBM® Key Management utility. Specify this format to extract a self-signed certificate from the machine on which the self-signed certificate was generated to the machine that will use the self-signed certificate as the CA certificate.
.der
A file with an extension of .der contains binary data. This format can be used only for a single certificate, unlike a file with a privacy-enhanced mail format, which can contain multiple certificates. Specify this format to extract a self-signed certificate from the machine on which the self-signed certificate was generated to the machine that will use the self-signed certificate as the CA certificate.
.pfx (PKCS12)
A PKCS12 file, which has an extension of .pfx, contains a certificate (CA-issued certificate or self-signed certificate) and a corresponding private key. Use this format to transfer the contents of a keystore to a separate machine. For example, you can create and install a certificate and private key using key management utility, export the certificate and key to a PKCS12 file, then import the file into another keystore. This format is also useful for converting from one type of SSL implementation to a different implementation. For example, you can create and export a PKCS12 file using the IBM Key Management utility, then import the file on another machine using the OpenSSL CertTool utility.
The text above is a verbatim copy from IBM Eclipse Help.