According to the answer to this server-fault question almost all certificate file formats can contain private key alongside public key, as such how can I identify whether a certificate contains private key?
This is important because I do not want to unknowingly send the private key to the remote client.
Following the structure of the link:
.csr. Only public keys in pem or der format
.pem. keys and/or certificates. Look for -----BEGIN PRIVATE KEY---- or -----BEGIN RSA PRIVATE KEY----- or -----BEGIN ENCRYPTED PRIVATE KEY-----
.key keys in pem format
.pkcs12 .pfx .p12 keys and/or certificates. List keys with openssl pkcs12 -info -nocerts -in keystore.p12
.jks keys and/or certificates. Java specific format.
.der pem content without base64 encoding. Look for KEY in openssl x509 -inform DER -in cert.der
.cert .cer .crt keys and/or certificates. Content can be pem or der
.p7b. Only certificates
.crl. No keys
Related
Is it possible to recover certificate thumbprint (sha1 fingerprint) only from private key that will match original certificate thumbprint?
I can not find any information about how thumbprints are generated.
Private key material:
I have a .PFX file with single certificate and it's private key. From .PFX I export only private key:
openssl rsa -inform p12 -in cert.pfx -outform der -out cert.key.der
It is not possible to get a certificate fingerprint from the private key only. The private key matches only the public key in the certificate. There can actually be multiple certificates using the same public and private key, all having different certificate fingerprints. This is not uncommon - certificate renewals often use the same key pair as the previous (expired) certificate.
What would be possible is to get the public key fingerprint, but not the certificate fingerprint.
I have converted a CER/DER certificate with something like this:
openssl x509 -inform der -in hostname.cer -out hostname.pem
The resulting PEM file contains just:
-----BEGIN CERTIFICATE-----
... contents here..
-----END CERTIFICATE-----
But it does not contain the key part, is that normal? So I cannot use it in PHP/SOAPClient because it won't connect to the host.
On the other hand, I have successfuly converted PFX/P12 format to PEM and the resulting file contains both certificate and key. But in the above case of the DER format certificate it doesn't.
What I used to convert the PFX to PEM was:
openssl pkcs12 -in ALEXANDRU_CATALIN.pfx -clcerts -nokeys -out ALEXANDRU_CATALIN_mycert.pem
openssl pkcs12 -in ALEXANDRU_CATALIN.pfx -nocerts -nodes -out ALEXANDRU_CATALIN_mykey.pem
And then join contents of both files into one called bundle.pem. This worked, I ended with a file with bot certificate and key and it connects vía SOAP to the API but as I say the DER to PEM doesn't give me a certificate that will work.
Any ideas on this? Am I missing something? Is the DER format not containing the key? Do I need something else?
A DER certificate file won't contain the private key. So there's no private key to convert. Only a PFX or a "multi-PEM" can contain both a certificate and a private key.
By default the public key is not converted.
BUT you can export it by adding argument -pubkey
openssl x509 -inform der -in hostname.cer -out hostname.pem -pubkey
will give you a PEM file as following :
-----BEGIN PUBLIC KEY-----
{...}
-----END PUBLIC KEY-----
-----BEGIN CERTIFICATE-----
{...}
-----END CERTIFICATE-----
Reference: X509 documentation
I'm having .crt and .pem file with
-----BEGIN CERTIFICATE-----
MIIFSDCCBDCg........................................
-----END CERTIFICATE-----
and I want RSA key from this file.
anyone is having any idea that how we can do that.
I have used below command one by one
openssl rsa -in XXX.crt -out input1.der -outform DER
openssl rsa -in input1.der -inform DER -out key.pem -outform PEM
But, It gives error:
unable to load Private Key 140331982231200:error:0906D06C:PEM
routines:PEM_read_bio:no start line:pem_lib.c:703:Expecting: ANY
PRIVATE KEY
and I have also used different command but it give above error.
-----BEGIN CERTIFICATE-----
MIIFSDCCBDCg........................................
-----END CERTIFICATE-----
This is a certificate in pem format which is a wrapper over public key. A Certificate is supposed to be public and can be distributed, but private key (as the name suggest) is supposed to be kept secret. So a certificate can never contain a private key.
You mentioned, you have a ´.pem´ file too. What is it's content? Does it start with -----BEGIN RSA PRIVATE KEY-----. If yes, it would be your private key.
The command you are trying:
openssl rsa
It expects a private key in input, but you are supplying it a certificate. Hence the error.
You can't get a private key from a certificate, because the private key isn't in the certificate, and you can't get it from a PEM file unless the PEM file contains it, which ain't necessarily so,
I have two files.One is 5474dd9b93888948.crt and another is gd_bundle-g2-g1.crt.
I have to convert this two files into 'PEM encoded X.509 certificate' and 'Unencrypted PEM encoded RSA private key'.
can any one tell me openssl commands for it ?
File names like foo.crt do not say anything about the file format used. Look into the files content. If this looks binary they are probable DER encoded and you have to specify the -inform der option with the openssl tools (e.g. openssl x509 -inform der -in file.crt to convert the certificate to PEM, same for rsa command). If they contain text starting with something like -----BEGIN CERTIFICATE----- they are already PEM encoded.
I have a JKS keystore in client application and I have been given one PEM file containing both private key and certificate to use for SOAP signature. PEM file looks like this:
-----BEGIN RSA PRIVATE KEY-----
...
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
First question is how to import correctly this PEM to JKS?
Second question: given private key isn't password protected, it's possible to add a password to it before importing it to JKS keystore?
Thanks!
If you prefer a GUI solution I would take Portecle. This simple key store management tool allows to create a JKS and then import cert and private key.
I am not sure if you can import cert and key from the same combined PEM file as you have it but may be the command "Import Key pair" of Portecle works with such a file.
If not you can simply split the PEM file directly after the -----END RSA PRIVATE KEY----- line into two PEM files and import them separately.
After importing, when you save the JKS Portecle will ask you for a password.