Certificate Formats - X.509, DER and PEM
Part:
1
2
3
(Continued from previous part...)
"OpenSSL" Generating Certificates in DER and PEM
After tested how "keytool" can be used to export certificates in DER and PEM encodings,
I decided to try with "OpenSSL" to see if it can generate certificates in the same encodings or not.
What I did was to:
- Run "openssl genrsa" to generate a RSA key pair.
- Run "openssl req -new -x509" to generate a self-signed certificate and stored it in PEM encoding.
- Run "openssl x509" to convert the certificate from PEM encoding to DER encoding.
The test session was recorded below:
>openssl genrsa -out herong.key -des 1024
Loading 'screen' into random state - done
Generating RSA private key, 1024 bit long modulus
.........................++++++
...................++++++
e is 65537 (0x10001)
Enter pass phrase for herong.key: keypass
Verifying - Enter pass phrase for herong.key: keypass
>openssl req -new -x509 -key herong.key -out openssl_crt.pem
-outform pem -config openssl.cnf
Enter pass phrase for herong.key: keypass
You are about to be asked to enter information that will be
incorporated into your certificate request.
What you are about to enter is what is called a Distinguished
Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CA]:
State or Province Name (full name) [HY State]:
Locality Name (eg, city) [HY City]:
Organization Name (eg, company) [HY Company]:
Organizational Unit Name (eg, section) [HY Unit]:
Common Name (eg, YOUR name) [Herong Yang]:
Email Address [herongyang.com]:
>openssl x509 -in openssl_crt.pem -inform pem
-out openssl_crt.der -outform der
Now I got one certificate generated by "OpenSSL" and stored in two encoding files: openssl_crt.der and openssl_crt.pem.
How can I verify that they are really using the correct encoding schemas?
I used "keytool" to try to import them as described in the next section.
"keytool" Viewing "OpenSSL" Certificates
One way to verify the certificate generated by "OpenSSL" and stored in PEM and DER encodings
is to view it with the "keytool -printcert" command:
>keytool -printcert -file openssl_crt.pem
Owner: EMAILADDRESS=herongyang.com, CN=Herong Yang, OU=HY Unit, ...
Issuer: EMAILADDRESS=herongyang.com, CN=Herong Yang, OU=HY Unit, ...
Serial number: 0
Valid from: Sun Apr 1 13:02:22 EDT 2007 until: ...
Certificate fingerprints:
MD5: BF:B8:3A:19:E5:05:CE:CA:8C:F7:05:FA:FE:51:A6:EC
SHA1: F7:C7:2A:57:73:5E:CE:E5:73:09:13:35:FB:91:CF:27:...
Signature algorithm name: MD5withRSA
Version: 3
Extensions:
...
>keytool -printcert -file openssl_crt.der
Owner: EMAILADDRESS=herongyang.com, CN=Herong Yang, OU=HY Unit, ...
Issuer: EMAILADDRESS=herongyang.com, CN=Herong Yang, OU=HY Unit, ...
Serial number: 0
Valid from: Sun Apr 1 13:02:22 EDT 2007 until: ...
Certificate fingerprints:
MD5: BF:B8:3A:19:E5:05:CE:CA:8C:F7:05:FA:FE:51:A6:EC
SHA1: F7:C7:2A:57:73:5E:CE:E5:73:09:13:35:FB:91:CF:27:...
Signature algorithm name: MD5withRSA
Version: 3
Extensions:
...
What I learned so far:
- "OpenSSL" can generate self-signed X5.09 version 3 certificates.
- "OpenSSL" can write certificates with DER and PEM encodings.
- "keytool" can read certificates generated by "OpenSSL" in both DER and PEM encodings.
"keytool" Importing "OpenSSL" Certificates
I also tried to import the certificate generated by "OpenSSL" into "keytoo" keystore files.
The "keytool -importcert" command had no trouble reading the certificate in both PEM and DER encodings.
My command session is recorded here:
>keytool -importcert -file openssl_crt.pem
-keystore herong.jks -storepass jkspass
-alias openssl_crt_pem -keypass keypass
Owner: EMAILADDRESS=herongyang.com, CN=Herong Yang, OU=HY Unit, ...
Issuer: EMAILADDRESS=herongyang.com, CN=Herong Yang, OU=HY Unit, ...
Serial number: 0
Valid from: Sun Apr 1 13:02:22 EDT 2007 until: ...
Certificate fingerprints:
MD5: BF:B8:3A:19:E5:05:CE:CA:8C:F7:05:FA:FE:51:A6:EC
SHA1: F7:C7:2A:57:73:5E:CE:E5:73:09:13:35:FB:91:CF:27:...
Signature algorithm name: MD5withRSA
Version: 3
Extensions:
...
Trust this certificate? [no]: yes
Certificate was added to keystore
>keytool -importcert -file openssl_crt.der
-keystore herong.jks -storepass jkspass
-alias openssl_crt_der -keypass keypass
Certificate already exists in keystore under alias <openssl_crt_pem>
Do you still want to add it? [no]: yes
Certificate was added to keystore
>keytool -list -keystore herong.jks -store
pass jkspass
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 3 entries
openssl_crt_der, Apr 1, 2007, trustedCertEntry,
Certificate fingerprint (MD5): BF:B8:3A:19:E5:05:CE:CA:8C:F7:05:...
openssl_crt_pem, Apr 1, 2007, trustedCertEntry,
Certificate fingerprint (MD5): BF:B8:3A:19:E5:05:CE:CA:8C:F7:05:...
herong_key, Apr 1, 2007, PrivateKeyEntry,
Certificate fingerprint (MD5): 5B:44:F1:D7:3D:9F:9E:15:5B:D1:25:...
Wonderful! There was no trouble at for "keytool" to import my
self-signed certificate generated by "OpenSSL" into the keystore file.
Conclusion
- X.509 defines a digital certificate standard.
- PEM (Privacy Enhanced Mail) is a certificate encoding schema.
- DER (Distinguished Encoding Rules) is another certificate encoding schema.
- "keytool" supports both PEM and DER certificate encodings.
- "OpenSSL" supports both PEM and DER certificate encodings.
Part:
1
2
3
|