|
Certificate Formats - X.509, DER and PEM
Part:
1
2
3
(Continued from previous part...)
DER (Distinguished Encoding Rules) Encoding
DER (Distinguished Encoding Rules) is another popular encoding
used to store X.509 certificate files. Here is how wikipedia.com describes PEM:
DER or Distinguished Encoding Rules is a method for encoding a data object, such as an X.509 certificate, to be digitally signed or to have its signature verified.
The Distinguished Encoding Rules of ASN.1 is an International Standard drawn from the constraints placed on BER encodings by X.509. DER encodings are valid BER encodings. DER is the same thing as BER with all but one sender's options removed. For example, in BER a boolean value of true can be encoded in 255 ways, while in DER there is only one way to encode a boolean value of true.
The full specification of DER is in
RFC 1421.
X.509 certificate files encode in DER are binary files, which can not be view with text editors.
DER encoded certificate files are supported by almost all applications.
"OpenSSL" and "keytool" support DER encoded certificate files with no problem.
See other sections below for test notes.
"keytool" Exporting Certificates in DER and PEM
My first test was about "keytool" exporting certificates in DER and PEM encodings.
This was done as:
- Using "keytool -genkeypair" to generated a key pair and a self-sign certificate in a keystore file.
- Using "keytool -exportcert" to export the certificate in DER encoding.
- Using "keytool -exportcert -rfc" to export the certificate in PEM encoding.
The test session was recorded below:
>keytool -genkeypair -keysize 1024 -alias herong_key
-keypass keypass -keystore herong.jks -storepass jkspass
What is your first and last name?
[Unknown]: Herong Yang
What is the name of your organizational unit?
[Unknown]: Herong Unit
What is the name of your organization?
[Unknown]: Herong Company
What is the name of your City or Locality?
[Unknown]: Herong City
What is the name of your State or Province?
[Unknown]: Herong State
What is the two-letter country code for this unit?
[Unknown]: CA
Is CN=Herong Yang, OU=Herong Unit, O=Herong Company, L=Herong City,
ST=Herong State, C=CA correct?
[no]: yes
>keytool -exportcert -alias herong_key -keypass keypass
-keystore herong.jks -storepass jkspass -file keytool_crt.der
Certificate stored in file <keytool_crt.der>
>keytool -exportcert -alias herong_key -keypass keypass
-keystore herong.jks -storepass jkspass -rfc -file keytool_crt.pem
Certificate stored in file <keytool_crt.pem>
Not that "keytool -exportcert" command applies DER encoding by default.
The "-rfc" option is to change it to PEM (RFC 1421) encoding.
Now I got one certificate generated by "keytool" and stored in two encoding files: keytool_crt.der and keytool_crt.pem.
How can I verify that they are really using the correct encoding schemas?
I used "OpenSSL" to try to view them as described in the next section.
"OpenSSL" Verifying "keytool" Certificates
One way to verify if "keytool" did export my certificate using DER and PEM encoding correctly
is to use "OpenSSL" view the encoded certificate files.
To do this, I used the "openssl x509" command to view keytool_crt.der and keytool_crt.pem:
>openssl x509 -in keytool_crt.pem -inform pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1185636568 (0x46ab60d8)
Signature Algorithm: dsaWithSHA1
Issuer: C=CA, ST=Herong State, L=Herong City, ...
...
>openssl x509 -in keytool_crt.der -inform der -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1185636568 (0x46ab60d8)
Signature Algorithm: dsaWithSHA1
Issuer: C=CA, ST=Herong State, L=Herong City, ...
O=Herong Company, OU=Heron
...
What I learned so far:
- "keytool" can generate self-signed X5.09 version 3 certificates.
- "keytool" can export certificates with DER and PEM encodings.
- "OpenSSL" can read certificates generated by "keytool" in both DER and PEM encodings.
(Continued on next part...)
Part:
1
2
3
| 