I have the following files:
filename.key (RSA PRIVATE KEY)
filename.pem (CERTIFICATE REQUEST)
certificate.cer (CERTIFICATE)
CertificateChain.p7b
I have received these files from the CA including the certificate chain.
I need to generate 'keystore.p12' to configure SSL for spring boot application with the following information.
server:
port: 443
ssl:
key-store: keystore.p12
key-store-password: <your-password>
keyStoreType: PKCS12
keyAlias: <my alias>
Can anyone please help me to generate the 'keystore.p12'?
File extensions do not actually control the format or contents a file, although usually they should provide at least partial description. Similarly basenames (before the extension) should describe what is in the file, but do not always do so correctly. What matters is what is in the files.
.key is usually used for a lone privatekey, but look at it to make sure, and also to determine what format it is in because there are many. You should never get your privatekey from a CA; it should be generated locally, usually on the machine where it will be used and at least by the 'owner' or admin of that machine. There might be a sort-of exception if you are talking about a CA internal to a company, organization, agency, or office -- in that case the person running the CA may be the same person who is responsible for security on all the machines -- or vice versa, depending on your perspective -- and it may make sense for them to generate both the key and the cert.
.pem is used for lots of things in PEM format, and what the contents of that file is (or are) matters more than the fact of it being PEM. Look at the first line -----BEGIN (somewords)----- and see what the word(s) is(are). That should be followed either immediately or after a few header lines by data in base64 (a solid block of letters, digits, and the special characters + / =), then a matching -----END (somewords)----- line. If the END line is followed by a another similar block, or several, look at all of them.
.cer is commonly used for certificates in either 'DER' (binary) or 'PEM' (as above) format. .p7b is similarly used for 'dummy' PKCS7 messages containing certificates -- especially certificates used in a chain -- in either DER or PEM. More significantly, p7b is sometimes used for the whole chain including the end-entity (server) cert, and sometimes the rest of the chain excluding the EE cert, and it matters which. If you have OpenSSL -- or can get it (e.g. by installing a package, or for Windows I recommend the installer from http://www.slproweb.com/products/Win32OpenSSL.html ) or can move your data to a machine that has it -- then do:
# if the p7b file is in PEM format (you can see ----BEGIN PKCS7----- line)
openssl pkcs7 -in file.p7b -print_certs
# if the p7b file is in DER format (looks like garbage in a text editor or display)
openssl pkcs7 -in file.p7b -inform der -print_certs
# for now look only at the subject= and issuer= lines to see
# for each cert in the file who it is for, and if/how they chain
Then:
if the .key file is a privatekey in one of the PEM formats supported by OpenSSL you can use that; else if .key is a privatekey in some other format, or .pem is or includes a privatekey in some format, you'll need to convert and/or extract it: tell us more about what those files look like.
if the .p7b file is in PEM or DER format, put its expanded output (from above) in a file. If this includes the EE cert skip the next step.
if the .p7b file does not include the EE cert, but the .cer file is that cert, if in PEM format just append it to the file containing the .p7b output; if in DER format convert it with openssl x509 -in file.cer -inform der and append that.
if you now have the privatekey in one of the PEM formats supported by OpenSSL, and the cert chain including the EE cert in PEM format, do
openssl pkcs12 -export -in chain.pem -inkey key.pem -out newfile.p12 [-name x]
# the -name option provides the 'alias' used by Java
# if not specified it defaults to the numeral 1 (one)
I got an email containing a cert, it looked something like:
-----BEGIN CERTIFICATE-----
MIIHE...
-----END CERTIFICATE-----
I copy/pasted that into notepad and saved it as a .cer file.
What I need now is a .pfx file using this cert. From what I gather I need to first convert my .cer to a .pem.
I tried converting my .cer to a .pem but that only gave error:
OpenSSL> x509 -inform der -in
C:\Users\xxx\Desktop\cert.cer -out certificate.pem
unable to load certificate 7320:error:0D0680A8:asn1 encoding
routines:ASN1_CHECK_TLEN:wrong tag:.\crypto\asn1\tasn_dec.c:1315:
7320:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested
asn1 error:.\crypto\asn1\tasn_dec.c:379:Type=X509
I read some answers that also say just changing .cer to .pem is enough, but for me that does not seem to work at all.
Your certificate is already in PEM format. Just rename it from certificate.cer to certificate.pem
I have converted a CER/DER certificate with something like this:
openssl x509 -inform der -in hostname.cer -out hostname.pem
The resulting PEM file contains just:
-----BEGIN CERTIFICATE-----
... contents here..
-----END CERTIFICATE-----
But it does not contain the key part, is that normal? So I cannot use it in PHP/SOAPClient because it won't connect to the host.
On the other hand, I have successfuly converted PFX/P12 format to PEM and the resulting file contains both certificate and key. But in the above case of the DER format certificate it doesn't.
What I used to convert the PFX to PEM was:
openssl pkcs12 -in ALEXANDRU_CATALIN.pfx -clcerts -nokeys -out ALEXANDRU_CATALIN_mycert.pem
openssl pkcs12 -in ALEXANDRU_CATALIN.pfx -nocerts -nodes -out ALEXANDRU_CATALIN_mykey.pem
And then join contents of both files into one called bundle.pem. This worked, I ended with a file with bot certificate and key and it connects vía SOAP to the API but as I say the DER to PEM doesn't give me a certificate that will work.
Any ideas on this? Am I missing something? Is the DER format not containing the key? Do I need something else?
A DER certificate file won't contain the private key. So there's no private key to convert. Only a PFX or a "multi-PEM" can contain both a certificate and a private key.
By default the public key is not converted.
BUT you can export it by adding argument -pubkey
openssl x509 -inform der -in hostname.cer -out hostname.pem -pubkey
will give you a PEM file as following :
-----BEGIN PUBLIC KEY-----
{...}
-----END PUBLIC KEY-----
-----BEGIN CERTIFICATE-----
{...}
-----END CERTIFICATE-----
Reference: X509 documentation
According to the answer to this server-fault question almost all certificate file formats can contain private key alongside public key, as such how can I identify whether a certificate contains private key?
This is important because I do not want to unknowingly send the private key to the remote client.
Following the structure of the link:
.csr. Only public keys in pem or der format
.pem. keys and/or certificates. Look for -----BEGIN PRIVATE KEY---- or -----BEGIN RSA PRIVATE KEY----- or -----BEGIN ENCRYPTED PRIVATE KEY-----
.key keys in pem format
.pkcs12 .pfx .p12 keys and/or certificates. List keys with openssl pkcs12 -info -nocerts -in keystore.p12
.jks keys and/or certificates. Java specific format.
.der pem content without base64 encoding. Look for KEY in openssl x509 -inform DER -in cert.der
.cert .cer .crt keys and/or certificates. Content can be pem or der
.p7b. Only certificates
.crl. No keys
I need to setup an Apache 2 server with SSL.
I have my *.key file, but all the documentation I've found online, *.crt files are specified, and my CA only provided me with a *.cer file.
Are *.cer files the same as *.crt? If not, how can I convert CER to CRT format?
File extensions for cryptographic certificates aren't really as standardized as you'd expect. Windows by default treats double-clicking a .crt file as a request to import the certificate into the Windows Root Certificate store, but treats a .cer file as a request just to view the certificate. So, they're different in the sense that Windows has some inherent different meaning for what happens when you double click each type of file.
But the way that Windows handles them when you double-click them is about the only difference between the two. Both extensions just represent that it contains a public certificate. You can rename a certificate file to use one extension in place of the other in any system or configuration file that I've seen. And on non-Windows platforms (and even on Windows), people aren't particularly careful about which extension they use, and treat them both interchangeably, as there's no difference between them as long as the contents of the file are correct.
Making things more confusing is that there are two standard ways of storing certificate data in a file: One is a "binary" X.509 encoding, and the other is a "text" base64 encoding that usually starts with "-----BEGIN CERTIFICATE-----". These encode the same data but in different ways. Most systems accept both formats, but, if you need to, you can convert one to the other via openssl or other tools. The encoding within a certificate file is really independent of which extension somebody gave the file.
Basically there are two CER certificate encoding types, DER and Base64. When type DER returns an error loading certificate (asn1 encoding routines), try the PEM and it shall work.
openssl x509 -inform DER -in certificate.cer -out certificate.crt
openssl x509 -inform PEM -in certificate.cer -out certificate.crt
According to documentation mod_ssl:
SSLCertificateFile:
Name: SSLCertificateFile
Description: Server PEM-encoded X.509 certificate file
Certificate file should be PEM-encoded X.509 Certificate file:
openssl x509 -inform DER -in certificate.cer -out certificate.pem
CER is an X.509 certificate in binary form, DER encoded.
CRT is a binary X.509 certificate, encapsulated in text (base-64) encoding.
It is not the same encoding.
I use command:
openssl x509 -inform PEM -in certificate.cer -out certificate.crt
But CER is an X.509 certificate in binary form, DER encoded.
CRT is a binary X.509 certificate, encapsulated in text (base-64) encoding.
Because of that, you maybe should use:
openssl x509 -inform DER -in certificate.cer -out certificate.crt
And then to import your certificate:
Copy your CA to dir:
/usr/local/share/ca-certificates/
Use command:
sudo cp foo.crt /usr/local/share/ca-certificates/foo.crt
Update the CA store:
sudo update-ca-certificates
I assume that you have a .cer file containing PKCS#7-encoded certificate data and you want to convert it to PEM-encoded certificate data (typically a .crt or .pem file). For instance, a .cer file containing PKCS#7-encoded data looks like this:
-----BEGIN PKCS7-----
MIIW4gYJKoZIhvcNAQcCoIIW0zCCFs8CAQExADALBgkqhkiG9w0BBwGggha1MIIH
...
POI9n9cd2cNgQ4xYDiKWL2KjLB+6rQXvqzJ4h6BUcxm1XAX5Uj5tLUUL9wqT6u0G
+bKhADEA
-----END PKCS7-----
PEM certificate data looks like this:
-----BEGIN CERTIFICATE-----
MIIHNjCCBh6gAwIBAgIQAlBxtqKazsxUSR9QdWWxaDANBgkqhkiG9w0BAQUFADBm
...
nv72c/OV4nlyrvBLPoaS5JFUJvFUG8RfAEY=
-----END CERTIFICATE-----
There is an OpenSSL command that will convert .cer files (with PKCS#7 data) to the PEM data you may be expecting to encounter (the BEGIN CERTIFICATE block in the example above). You can coerce PKCS#7 data into PEM format by this command on a file we'll call certfile.cer:
openssl pkcs7 -text -in certfile.cer -print_certs -outform PEM -out certfile.pem
Note that a .cer or .pem file might contain one or more certificates (possibly the entire certificate chain).
The answer to the question how to convert a .cer file into a .crt file (they are encoded differently!) is:
openssl pkcs7 -print_certs -in certificate.cer -out certificate.crt
If your cer file has binary format you must convert it by
openssl x509 -inform DER -in YOUR_CERTIFICATE.cer -out YOUR_CERTIFICATE.crt
The .cer and .crt file should be interchangable as far as importing them into a keystore.
Take a look at the contents of the .cer file. Erase anything before the -----BEGIN CERTIFICATE----- line and after the -----END CERTIFICATE----- line. You'll be left with the BEGIN/END lines with a bunch of Base64-encoded stuff between them.
-----BEGIN CERTIFICATE-----
MIIDQTCCAqqgAwIBAgIJALQea21f1bVjMA0GCSqGSIb3DQEBBQUAMIG1MQswCQYD
...
pfDACIDHTrwCk5OefMwArfEkSBo/
-----END CERTIFICATE-----
Then just import it into your keyfile using keytool.
keytool -import -alias myalias -keystore my.keystore -trustcacerts -file mycert.cer
Here is one case that worked for me if we need to convert .cer to .crt, though both of them are contextually same
Generate crt file:
openssl pkcs12 -in identity.p12 -nokeys -out mycertificate.crt
Generate key file:
openssl pkcs12 -in identity.p12 -out mycertificate.key -nodes -nocerts
where we should have a valid private key (identity.p12) PKCS 12 format, this one i generated from keystore (.jks file) provided by CA (Certification Authority) who created my certificate.
Just do
openssl x509 -req -days 365 -in server.cer -signkey server.key -out server.crt