I have 4ec7049585ebc7.crt and gd_bundle.crt files. I want to convert it into pem format. I need two files one certificate and key in pem format. what is the openssl command for it.?
Check out Paul Heinlein's OpenSSL Command-Line HOWTO. Its got lots of recipes.
Do you know what format the files are currently in? They are probably already in PEM format. If not, you can simply try -inform ASN1, -inform PEM, etc until you find something that does not error.
More than likely, you are going to have to breakout gd_bundle.crt with a script because its going to be full of PEM encoded certificates concatenated together.
Related
I want to be able to send certificates in my API requests.
Please see - Add certificate on request with RestSharp
As shown in that post. I need to convert .crt and .key to .pfx , however my current certificates are .pem, so I thought I will need to convert them into .crt and .key first and then use the openssl comand used in that post to convert them into .pfx and then carry on with the rest of the solution.
My certificates are -
CRT file -
C:\Users\JohnSmith\Downloads\certsh\client-crt.pem
Key file -
C:\Users\JohnSmith\Downloads\certsh\client-key.pem
I was able to convert the Key file to a .key , but when trying to convert the CRT file I am getting this error.
unable to load certificate 13668:error:0906D06C:PEM routines:PEM_read_bio:no start line:.\crypto\pem\pem_lib.c:697:Expecting: TRUSTED CERTIFICATE error in x509
I am using this command to try and convert the .pem to .crt
x509 -outform der -in client-csr.pem -out client.crt
The extension .pem indicates that the format of the file is PEM (Privacy-Enhanced Mail) (RFC 7468). The content of the file may be a certificate, a private key, a public key, or something else. If you open a PEM file with a text editor, your will see -----BEGIN ?????----- at the top.
The extension .crt implies that the content of the file is a certificate. However, the extension does not tell anything about the file format. The format may be PEM, DER (Distinguished Encoding Rules) (X.690), or something else. If the file contains -----BEGIN CERTIFICATE-----, the format is PEM. On the other hand, if the file contains binary data, it is likely that the format is DER.
The extension .key implies that the content of the file is a private key. However, the extension does not tell anything about the file format. The format may be PEM, DER, or something else. If the file contains -----BEGIN PRIVATE KEY-----, the format is PEM. On the other hand, if the file contains binary data, it is likely that the format is DER.
The string csr, which is a part of the file name client-csr.pem, implies that the content of the file is CSR (Certificate Signing Request). Note that CSR is NOT a certificate. It seems you are trying to convert the file format of client-csr.pem from PEM to DER, but the CSR will never become a certificate by converting the file format. What you should give to the openssl command is not client-csr.pem but client-crt.pem, I think.
Understanding relationship among ASN.1 (X.680), DER (X.690), BASE64 (RFC 4648) and PEM (RFC 7468) will improve the quality of your questions and help you avoid wasting time. I hope that diagrams below excerpted from "Illustrated X.509 Certificate" can help you.
I have the following files:
filename.key (RSA PRIVATE KEY)
filename.pem (CERTIFICATE REQUEST)
certificate.cer (CERTIFICATE)
CertificateChain.p7b
I have received these files from the CA including the certificate chain.
I need to generate 'keystore.p12' to configure SSL for spring boot application with the following information.
server:
port: 443
ssl:
key-store: keystore.p12
key-store-password: <your-password>
keyStoreType: PKCS12
keyAlias: <my alias>
Can anyone please help me to generate the 'keystore.p12'?
File extensions do not actually control the format or contents a file, although usually they should provide at least partial description. Similarly basenames (before the extension) should describe what is in the file, but do not always do so correctly. What matters is what is in the files.
.key is usually used for a lone privatekey, but look at it to make sure, and also to determine what format it is in because there are many. You should never get your privatekey from a CA; it should be generated locally, usually on the machine where it will be used and at least by the 'owner' or admin of that machine. There might be a sort-of exception if you are talking about a CA internal to a company, organization, agency, or office -- in that case the person running the CA may be the same person who is responsible for security on all the machines -- or vice versa, depending on your perspective -- and it may make sense for them to generate both the key and the cert.
.pem is used for lots of things in PEM format, and what the contents of that file is (or are) matters more than the fact of it being PEM. Look at the first line -----BEGIN (somewords)----- and see what the word(s) is(are). That should be followed either immediately or after a few header lines by data in base64 (a solid block of letters, digits, and the special characters + / =), then a matching -----END (somewords)----- line. If the END line is followed by a another similar block, or several, look at all of them.
.cer is commonly used for certificates in either 'DER' (binary) or 'PEM' (as above) format. .p7b is similarly used for 'dummy' PKCS7 messages containing certificates -- especially certificates used in a chain -- in either DER or PEM. More significantly, p7b is sometimes used for the whole chain including the end-entity (server) cert, and sometimes the rest of the chain excluding the EE cert, and it matters which. If you have OpenSSL -- or can get it (e.g. by installing a package, or for Windows I recommend the installer from http://www.slproweb.com/products/Win32OpenSSL.html ) or can move your data to a machine that has it -- then do:
# if the p7b file is in PEM format (you can see ----BEGIN PKCS7----- line)
openssl pkcs7 -in file.p7b -print_certs
# if the p7b file is in DER format (looks like garbage in a text editor or display)
openssl pkcs7 -in file.p7b -inform der -print_certs
# for now look only at the subject= and issuer= lines to see
# for each cert in the file who it is for, and if/how they chain
Then:
if the .key file is a privatekey in one of the PEM formats supported by OpenSSL you can use that; else if .key is a privatekey in some other format, or .pem is or includes a privatekey in some format, you'll need to convert and/or extract it: tell us more about what those files look like.
if the .p7b file is in PEM or DER format, put its expanded output (from above) in a file. If this includes the EE cert skip the next step.
if the .p7b file does not include the EE cert, but the .cer file is that cert, if in PEM format just append it to the file containing the .p7b output; if in DER format convert it with openssl x509 -in file.cer -inform der and append that.
if you now have the privatekey in one of the PEM formats supported by OpenSSL, and the cert chain including the EE cert in PEM format, do
openssl pkcs12 -export -in chain.pem -inkey key.pem -out newfile.p12 [-name x]
# the -name option provides the 'alias' used by Java
# if not specified it defaults to the numeral 1 (one)
This question already has answers here:
How to get .pem file from .key and .crt files?
(12 answers)
Closed 4 years ago.
I downloaded the files from a ssl purchase and got from it the following files:
ServerCertificate.cer
CACertificate-ROOT-2.cer
CACertificate-INTERMEDIATE-1.cer
PKCS7.p7b
A client requires 2 crt.pem files. One of which needs to come from the ServerCertificate.cer and another from a so called PFC file that should of been provided. Which is aparently a combination of the certificate and the key.
I have tried using:
openssl x509 -inform der -in certificate.cer -out certificate.pem to convert the first file however I get a "Unable to load certificate" error.
What am I doing wrong?
PS Please dont link me to https://www.sslshopper.com/ssl-converter.html, as this isn't working either.
If by PFC you actually mean PFX, then you can convert p7b to pfx (PKCS#7 to PKCS#12) using openssl.
ServerCertificate.cer is most likely PEM. Follow Steffen's comment:
Extensions do not matter. It is likely that your *.cer files are already in PEM format and you just have to rename these if you want a file name of *.pem but not convert. Look at the contents with some editor: if it is binary it is likely DER encoded, if it starts with something like -----BEGIN CERTIFICATE----- it is PEM encoded.
If it is not PEM, then it is binary and openssl can convert it to PEM.
Normally you need two files: the private key (ServerCertificate.key) and the certificate (ServerCertificate.cer). Sometime you also need the root and intermediate certificates depending on who issued your certificate (you don't say).
None of the file that you listed is the private key. This was created as the first step to create the CSR (certificate signing request) that you sent to the ssl vendor. PFX has the option to include the private key in its file format.
If you created the CSR on Windows (IIS) then you don't send anything to the customer, you complete the CSR on the computer that created the CSR. Then you can export the certificate package.
I am config the ssl using Mechanize, according the document I need to set the
agent.cert = 'example.cer'
agent.key='example.cer'
but how can I get these two file? I also find that ssl file has a lot of types, such as .cer .pem .crt .key, what is the relationship between them?
Let's start from PEM files, which are your digital certificates written in form encoded in only basic ASCII characters, they can be easily copy&pasted, e-mailed, printed. More about them:
Working with PEM files
How to get an OpenSSL .pem file from .key and .crt files?
The file with .crt extension is PEM or DER, which is just binary encoded certificate. This extension is recognized by Windows, while PEM or DER aren't.
The file with .key extension is just your private key. It's stored in separate file. Format not standardized.
You will find more information about all these formats in the answer on serverfault: What is a PEM file and how does it differ from other OpenSSL generated key file formats?
Hi I am a little new to all this openSSL and PEM stuf, so I thought I would ask you people here. I have a certificate in text(X509) format like this for example
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
1f:19:f6:de:35:dd:63:a1:42:91:8a:d5:2c:c0:ab:12
Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
Issuer: "CN=Thawte SGC CA,O=Thawte Consulting (Pty) Ltd.,C=ZA"
Validity:
Not Before: Fri Dec 18 00:00:00 2009
Not After : Sun Dec 18 23:59:59 2011
Subject: "CN=mail.google.com,O=Google Inc,L=Mountain View,ST=Californ
ia,C=US"
............................................
............................................
How do I convert this into a .pem file for openssl to understand, so that I can verify certificates? Any ideas/help/suggestions would be greatly appreciated. Thanks a lot in advance to all.
Regards
Hari
If all you have is the certificate in text form (hopefully with the details of the public key modulus and exponent, and signature), you're going to have to rebuild the ASN.1 structure and its DER format (the PEM representation is the base-64 encoding of the DER form).
You'll also have to rebuild the exact list of extensions in the certificate. Most text forms I know (for example, the output of openssl x509 -text or the browser's display tool) will convert the OIDs and values of the extensions into a more human-readable format, based on the specifications describing these extensions, if known to the developers of these tools.
Doing it in the reverse order systematically more or less implies reading a large number of specifications describing the potential extensions and working out what the human-readable text coming out of these tools was representing. The PKIX RFC is one of these specifications, and it's not going to be an easy thing to read, especially if you're beginning in the field.
On top of this, you might not be able to form the ASN.1 structure in the exact same order as it was in the actual certificate. You need to be able to reconstruct the exact binary structure if you want to be able to verify the signature of the certificate.
In the general case, I'd say doing this successfully is unlikely.
EDIT: Considering what you said, you seem to be using LibNSS's certutil:
Try:
certutil -L -r -n "the-cert-nickname" -d . | openssl x509 -inform DER -outform PEM
I am not sure what you are presenting in your post.
This seems the visualization of an existing certificate.
Are you viewing it via windows? I.e. opening a .der or .cer file?
If this is the case if you go in the details tab, press copy to file and save it as pem.
If you need to save it that format that is.