Bit of a silly question, but:
What kind of file(s) do you get when you buy an SSL certificate from a trusted CA?
Is there a .pfx file?
I'm working on a small tool to manage SSL certificates, but I'm not sure exactly what kind of certificates I'll be dealing with besides the self-signed ones that I create myself.
Thanks!
.pfx file extension is one. The below text from IBM has some indepth information.
Certificate file types
Certificates and keys are stored in several types of files.
Files that store certificates and keys can have the following formats:
.pem
A privacy-enhanced mail file, which has a file extension of .pem, begins and ends with the following lines:
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
A privacy-enhanced mail format supports multiple digital certificates, including a certificate chain. If your organization uses certificate chaining, use this format to create CA certificates.
.arm
A file with an extension of .arm contains a base-64 encoded ASCII representation of a certificate, including its public key, but not its private key. An .arm format is generated and used by the IBM® Key Management utility. Specify this format to extract a self-signed certificate from the machine on which the self-signed certificate was generated to the machine that will use the self-signed certificate as the CA certificate.
.der
A file with an extension of .der contains binary data. This format can be used only for a single certificate, unlike a file with a privacy-enhanced mail format, which can contain multiple certificates. Specify this format to extract a self-signed certificate from the machine on which the self-signed certificate was generated to the machine that will use the self-signed certificate as the CA certificate.
.pfx (PKCS12)
A PKCS12 file, which has an extension of .pfx, contains a certificate (CA-issued certificate or self-signed certificate) and a corresponding private key. Use this format to transfer the contents of a keystore to a separate machine. For example, you can create and install a certificate and private key using key management utility, export the certificate and key to a PKCS12 file, then import the file into another keystore. This format is also useful for converting from one type of SSL implementation to a different implementation. For example, you can create and export a PKCS12 file using the IBM Key Management utility, then import the file on another machine using the OpenSSL CertTool utility.
The text above is a verbatim copy from IBM Eclipse Help.
Related
I have all the required files to import to my apache tomcat, that is:
the Certificate Request file (CSR file)
the RSA PRIVATE KEY file
the certificates (root, intermediates and Entity/Domain) that was sent to me by the Certificate Authority.
Now i need to import them to my apache tomcat server.
My question is, given that i havent created any key store to my server (the CSR and private key were sent to me, i didnt created them with e.g. keytool), what should be the next steps? Should i have to create a new keystore through keytool -genkey command (which alias?) ?
And if so, which of the files above should i import? As far as i can see the keytool command doesnt support to import an existing CSR.
The extension .crt is often but not always used for certificates in PEM format. First, set aside the CSR; you won't use it. Look at the contents of the privatekey file and each certificate file; do they each have (usually begin with) a line in the format -----BEGIN {one or more words}----- then several lines of base64 and then a similar END line? If so those are PEM files and the content you need is one privatekey and several certs, exactly as you listed. See also (cross) https://crypto.stackexchange.com/questions/43697/what-is-the-difference-between-pem-csr-key-and-crt and https://security.stackexchange.com/questions/183072/pem-cer-crt-p12-what-is-it-all-about .
As noted in the Q Piotr linked, modern Tomcat (8.5 and up) can directly use PEM files for privatekey and cert(s). Older Tomcats with the 'native' SSL option (aka APR, Apache Portable Runtime, which wraps OpenSSL) also do this.
To use PEM data in older Tomcat using Java SSL (JSSE), or other Java applications, see
Convert a CERT/PEM certificate to a PFX certificate
Importing the private-key/public-certificate pair in the Java KeyStore
How can I set up a letsencrypt SSL certificate and use it in a Spring Boot application?
Converting pem with multiple certificates to java keystore
Converting PEM Certificate for use in JAVA Spring Framework
Converting PEM to PKCS12 and import to Java Keystore
Note PFX is the same thing as PKCS12, and while in olden days it was often necessary to convert to PKCS12 using openssl pkcs12 -export and then to JKS using keytool -importkeystore, Java versions since 2017 should accept PKCS12 as a keystore and in fact j9 up make it the default for newly created keystores.
I need to create a PEM file of a SSL (CA) certificate. Chrome does provide an option to view the certficate and export it as Base64 encoded X.509 (.CER)* file. In addition, the file extension can be changed to .PEM. Does the certificate only contain public information and can it safely be shared with other people (let's say colleagues)?
E.g. Stackoverflow contains a Root CA certificate. If I create the PEM file and share it with somebody, does it even matter or is there any security risk?
Background info: I need to export the SSL certificate (as .PEM) from an API endpoint in order to add it as trusted CA certificate in Postman.
Could someone explain, how are all certificates built?
There are many files that are generated while getting a certificate (.csr .key .cert .pem).
What each file contain?
From what I already got .key file is a file with private key.
From that .key is generated .csr, which can be send to CA.
However webhosting providers each ask for different set of files (or name it randomly?). How to distinguish which file is which?
For example .pem and .cert files, each start with -----BEGIN CERTIFICATE----- which is confusing (at last for me).
Any kind soul would care to explain how it all works?
PEM is an encoding that is also used as extension. All files that start with -----BEGIN CERTIFICATE----- are PEM encoded. Even the .key. That said, a .pem file could be a key, a certificate, a chain certificate, etc. You should name it well to know what it is.
All .crt and .cert extensions mean the file is a certificate. The Certificate Authority chooses which extension they will send the file.
The .csr is also PEM encoded, but it is a Certicate Signing Request. It is created when you generate your .key file. With it you can ask for a CA to issue a certificate for you.
---Edit---
Based on your comment, you have received three files from letsencrypt: cert.pem, chain.pem and fullchain.pem. You also might have a privkey.pem.
To configure your certificate you can bother using just the privkey.pem and fullchain.pem which is just a concatenation of cert.pem and fullchain.pem. You need to setup those files in your web server, each web server is different and you might look for their specific instructions.
I bought a certificate from a CA and I don't know much about certificates. I need a PEM format certificate to use in dovecot. It could be a fool question as I don't know much about certificates. I got three files from the CA : .ca-bundle .crt .p7b I need both public and private keys
You can use this tool or the OpenSSL commands available in the same page to convert the certificate into PEM.
I'm honestly quite surprised about the files you received. Generally, the CAs already sends you the PEM encoded certificates.
The .ca-bundle and .crt are likely to be the intermediate chain and the server certificate. The .p7b is in general a bundle of both intermediate and server into a single file, if that's the case you can ignore it and use the bundle and crt files.
As for the key, you should have it as the key is used to sign the CSR you provided the CA.
You may also want to check your CA documentation to better understand the content of each these files.
While I know nothing about SSL or installing SSL Certificates, I'm sure one of the many results Google will give me for CentOS, SSL certs and Apache would help.
However, the certificate files which have been provided for this project are a .pfx file, .cer (the certificate) file and a .txt (apparently a certificate request) file, none of which are mentioned in the articles I'm finding.. they all talk of .crt and .key files.
Is there a particular way I should be converting these files, presumably via openssl, into something I can use in Apache?
.pfx files tend to be PKCS#12 files (which will contain the private key, the certificate and possibly the issuer certificate chain). They're sometimes called .p12. OpenSSL can extract private key and certificate from PKCS#12 files (via its openssl pkcs12 command), you should be able to find documentation to do this, via Google or other questions on SO.