Cryptography Tutorials - Herong's Tutorial Notes
Dr. Herong Yang, Version 4.00

This site Web Google

Certificate Formats - X.509, DER and PEM

Part:   1  2  3 

(Continued from previous part...)

"OpenSSL" Generating Certificates in DER and PEM

After tested how "keytool" can be used to export certificates in DER and PEM encodings, I decided to try with "OpenSSL" to see if it can generate certificates in the same encodings or not. What I did was to:

  • Run "openssl genrsa" to generate a RSA key pair.
  • Run "openssl req -new -x509" to generate a self-signed certificate and stored it in PEM encoding.
  • Run "openssl x509" to convert the certificate from PEM encoding to DER encoding.

The test session was recorded below: 

>openssl genrsa -out herong.key -des 1024

Loading 'screen' into random state - done
Generating RSA private key, 1024 bit long modulus
.........................++++++
...................++++++
e is 65537 (0x10001)
Enter pass phrase for herong.key: keypass
Verifying - Enter pass phrase for herong.key: keypass

>openssl req -new -x509 -key herong.key -out openssl_crt.pem
-outform pem -config openssl.cnf

Enter pass phrase for herong.key: keypass
You are about to be asked to enter information that will be 
incorporated into your certificate request.
What you are about to enter is what is called a Distinguished 
Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CA]:
State or Province Name (full name) [HY State]:
Locality Name (eg, city) [HY City]:
Organization Name (eg, company) [HY Company]:
Organizational Unit Name (eg, section) [HY Unit]:
Common Name (eg, YOUR name) [Herong Yang]:
Email Address [herongyang.com]:

>openssl x509 -in openssl_crt.pem -inform pem 
-out openssl_crt.der -outform der

Now I got one certificate generated by "OpenSSL" and stored in two encoding files: openssl_crt.der and openssl_crt.pem. How can I verify that they are really using the correct encoding schemas? I used "keytool" to try to import them as described in the next section.

"keytool" Viewing "OpenSSL" Certificates

One way to verify the certificate generated by "OpenSSL" and stored in PEM and DER encodings is to view it with the "keytool -printcert" command: 

>keytool -printcert -file openssl_crt.pem

Owner: EMAILADDRESS=herongyang.com, CN=Herong Yang, OU=HY Unit, ...
Issuer: EMAILADDRESS=herongyang.com, CN=Herong Yang, OU=HY Unit, ...
Serial number: 0
Valid from: Sun Apr 1 13:02:22 EDT 2007 until: ...
Certificate fingerprints:
         MD5:  BF:B8:3A:19:E5:05:CE:CA:8C:F7:05:FA:FE:51:A6:EC
         SHA1: F7:C7:2A:57:73:5E:CE:E5:73:09:13:35:FB:91:CF:27:...
         Signature algorithm name: MD5withRSA
         Version: 3

Extensions:
...

>keytool -printcert -file openssl_crt.der

Owner: EMAILADDRESS=herongyang.com, CN=Herong Yang, OU=HY Unit, ...
Issuer: EMAILADDRESS=herongyang.com, CN=Herong Yang, OU=HY Unit, ...
Serial number: 0
Valid from: Sun Apr 1 13:02:22 EDT 2007 until: ...
Certificate fingerprints:
         MD5:  BF:B8:3A:19:E5:05:CE:CA:8C:F7:05:FA:FE:51:A6:EC
         SHA1: F7:C7:2A:57:73:5E:CE:E5:73:09:13:35:FB:91:CF:27:...
         Signature algorithm name: MD5withRSA
         Version: 3

Extensions:
...

What I learned so far:

  • "OpenSSL" can generate self-signed X5.09 version 3 certificates.
  • "OpenSSL" can write certificates with DER and PEM encodings.
  • "keytool" can read certificates generated by "OpenSSL" in both DER and PEM encodings.

"keytool" Importing "OpenSSL" Certificates

I also tried to import the certificate generated by "OpenSSL" into "keytoo" keystore files. The "keytool -importcert" command had no trouble reading the certificate in both PEM and DER encodings. My command session is recorded here: 

>keytool -importcert -file openssl_crt.pem
-keystore herong.jks -storepass jkspass 
-alias openssl_crt_pem -keypass keypass

Owner: EMAILADDRESS=herongyang.com, CN=Herong Yang, OU=HY Unit, ...
Issuer: EMAILADDRESS=herongyang.com, CN=Herong Yang, OU=HY Unit, ...
Serial number: 0
Valid from: Sun Apr 1 13:02:22 EDT 2007 until: ...
Certificate fingerprints:
         MD5:  BF:B8:3A:19:E5:05:CE:CA:8C:F7:05:FA:FE:51:A6:EC
         SHA1: F7:C7:2A:57:73:5E:CE:E5:73:09:13:35:FB:91:CF:27:...
         Signature algorithm name: MD5withRSA
         Version: 3

Extensions:
...
Trust this certificate? [no]:  yes
Certificate was added to keystore

>keytool -importcert -file openssl_crt.der
-keystore herong.jks -storepass jkspass 
-alias openssl_crt_der -keypass keypass

Certificate already exists in keystore under alias <openssl_crt_pem>
Do you still want to add it? [no]:  yes
Certificate was added to keystore

>keytool -list -keystore herong.jks -store
pass jkspass

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 3 entries

openssl_crt_der, Apr 1, 2007, trustedCertEntry,
Certificate fingerprint (MD5): BF:B8:3A:19:E5:05:CE:CA:8C:F7:05:...
openssl_crt_pem, Apr 1, 2007, trustedCertEntry,
Certificate fingerprint (MD5): BF:B8:3A:19:E5:05:CE:CA:8C:F7:05:...
herong_key, Apr 1, 2007, PrivateKeyEntry,
Certificate fingerprint (MD5): 5B:44:F1:D7:3D:9F:9E:15:5B:D1:25:...

Wonderful! There was no trouble at for "keytool" to import my self-signed certificate generated by "OpenSSL" into the keystore file.

Conclusion

  • X.509 defines a digital certificate standard.
  • PEM (Privacy Enhanced Mail) is a certificate encoding schema.
  • DER (Distinguished Encoding Rules) is another certificate encoding schema.
  • "keytool" supports both PEM and DER certificate encodings.
  • "OpenSSL" supports both PEM and DER certificate encodings.

Part:   1  2  3 

Dr. Herong Yang, updated in 2007
Cryptography Tutorials - Herong's Tutorial Notes - Certificate Formats - X.509, DER and PEM