PKI Certificate Tutorials - Herong's Tutorial Examples - v1.13, by Herong Yang
PKI Certificate Tutorials - Herong's Tutorial Examples
https://www.herongyang.com/PKI-Certificate
Copyright © 2024-2026 Herong Yang. All rights reserved.
This tutorial book is a collection of notes and sample codes written by the author while he was learning PKI certificate related technologies. Topics include PKI architecture and CA (Certificate Authorities); PKI certificate types and DER/PEM file formats; Certificate tools: OpenSSL and 'keytool'; Certificate stores, PKCS7 and PKCS12 file formats; Linux Trust Store. Updated in 2026 (Version v1.13) with minor changes.
Table of Contents
Introduction of PKI (Public Key Infrastructure)
What Is PKI (Public Key Infrastructure)
Usage Examples of Public Key Infrastructure
Most Popular Certificate Authorities
Introduction of PKI Certificate
Usage Types of PKI Certificates
Certificate Data Fields and X.509 Standard
Intermedate CA Certificate Example
End Entity Certificate Example
What Is ASN.1 (Abstract Syntax Notation One)
What Is BER (Basic Encoding Rules)
ASN.1 Type Modifier - Type Tagging
What Is DER (Distinguished Encoding Rules)
PKI Certificate Structure in ASN.1 Notations
PKI Certificate in Base64 Format
PKI Certificate in OpenSSL PEM Format
PKI Certificate File Viewer and Decoder
PKI Certificate File ASN.1 Parser
Certificate Wrapped in PKCS7 Formats
Certificate Wrapped in PKCS12 Formats
Certificate File Format Summary
OpenSSL - Cryptography Toolkit
"openssl genpkey" - Generate Private Key
"openssl genpkey -algorithm RSA" - RSA Private Key
"openssl genpkey -algorithm EC" - EC Private Key
"openssl req" - CSR (Certificate Signing Request)
"openssl req -new" - Generate CSR from Key
"openssl req -newkey ..." - Generate Key and CSR
"openssl req -x509" - Generate Self-Signed Certificate
"openssl x509" - X.509 Certificate Command
"openssl x509 -CA ..." - CA Signing Certificate
"openssl ca" - CA (Certificate Authority) Tool
Java "keytool" Commands and KeyStore Files
"keytool" - Key and Certificate Management Tool
"keytool -genkeypair" - Generate Key with Self-Signed Certificate
"keytool -export/import" - Export and Import Certificates
"keytool -keyclone" - Clone Self-Signed Certificate with New Identity
"keytool -certreq" - Generate CSR (Certificate Signing Request)
"keytool -gencert" - Sign CSR with CA certificate
"keytool -gencert -ext" - Sign CSR with X.509 Extensions
Export Key Pair using "keytool -importkeystore"
What Is Windows Certificate Store
What Is PEM Certificate Bundle
What Is PKCS12 Certificate Bundle
PKCS12 Certificate Bundle File
"openssl pkcs12 -export" - Certificate and Key Bundle
"openssl pkcs12 -export" - Certificate Chain and Key Bundle
"openssl pkcs12 -export" - 3-Level Certificate Chain and Key Bundle
"openssl pkcs12 -export" - Limitations and Errors
"keytool -genkeypair" - Certificate and Key Bundle
"keytool -importcert" - Certificate-Only Bundle
"keytool -storetype pkcs12" - Limitations and Errors
ASN.1 Data Structure of PKCS12 File
"openssl crl2pkcs7 -nocrl" - PKCS7 Certificate File
"openssl crl2pkcs7 -nocrl" - PKCS7 Certificate Chain
ASN.1 Data Structure of PKCS7 File
Linux Trust Store for CA Certificates
Directory and Files of Linux Trust Store
"trust" Command to Manage Linux Trust Store
"trust list" - Search Certificates in Linux Trust Store
"trust extract" - Extract Certificates from Linux Trust Store
"trust dump" - Dump Information from Linux Trust Store
"trust anchor" - Add and Remove Certificates.
ca-certificates - Linux CA Certificate Package
What Is ca-certificates Package
What Is ca-certificates-java Package
What Is ca-certificates-mono Package
"update-ca-certificates" to Add CA Certificate
"update-ca-certificates" to Disable CA Certificate
"update-ca-certificates" vs "trust" on Debian/Ubuntu Computers
update-ca-trust Command on Red Hat Computers
What Is update-ca-trust Command
/etc/pki/ Directory and Symbolic Links
"update-ca-trust" to Add CA Certificate
"update-ca-trust" to Remove CA Certificate
"update-ca-trust" to Distrust CA Certificate
"update-ca-trust" vs "trust" on Red Hat Computers
Keywords: PKI, Public, Key, Infrastructure, Certificate