PKI Certificate Tutorials - Herong's Tutorial Examples - v1.13, by Herong Yang
PKI Certificate in OpenSSL PEM Format
This section describes the PEM (Privacy Enhanced Mail) file format to store PKI certificates.
In order to improve security management, OpenSSL toolkit introduces a new PEM format with extra trust attributes called "Trusted Uses" and "Rejected Uses" for controlling its usage.
You can use the "openssl x509 -addtrust ... -addreject ..." command to manages those trust attibutes with 4 possible values: clientAuth, serverAuth, emailProtection, and anyExtendedKeyUsage.
The following example adds a trusted usage and a rejected usage, using the same certificate as the previous tutorial.
herong$ openssl x509 -addtrust serverAuth -addreject clientAuth \ -in ISRG-Root-X2.pem -out ISRG-Root-X2-trust.pem herong$ ls -l -rw-r--r-- 1 herong staff 842 May 11 09:17 ISRG-Root-X2-trust.pem -rw-r--r-- 1 herong staff 789 May 11 09:03 ISRG-Root-X2.pem
To differentiate from the standard PEM format, OpenSSL uses new BEGIN/END encapsulation boundaries as show below:
herong$ cat ISRG-Root-X2-trust.pem -----BEGIN TRUSTED CERTIFICATE----- MIICGzCCAaGgAwIBAgIQQdKd0XLq7qeAwSxs6S+HUjAKBggqhkjOPQQDAzBPMQsw CQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJuZXQgU2VjdXJpdHkgUmVzZWFyY2gg R3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBYMjAeFw0yMDA5MDQwMDAwMDBaFw00 MDA5MTcxNjAwMDBaME8xCzAJBgNVBAYTAlVTMSkwJwYDVQQKEyBJbnRlcm5ldCBT ZWN1cml0eSBSZXNlYXJjaCBHcm91cDEVMBMGA1UEAxMMSVNSRyBSb290IFgyMHYw EAYHKoZIzj0CAQYFK4EEACIDYgAEzZvVn4CDCuwJSvMWSj5cz3es3mcFDR0HttwW +1qLFNvicWDEukWVEYmO6gbf9yoWHKS5xcUy4APgHoIYOIvXRdgKam7mAHf7AlF9 ItgKbppbd9/w+kHsOdx1ymgHDB/qo0IwQDAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0T AQH/BAUwAwEB/zAdBgNVHQ4EFgQUfEKWrt5LSDv6kviejM9ti6lyN5UwCgYIKoZI zj0EAwMDaAAwZQIwe3lORlCEwkSHRhtFcP9Ymd70/aTSVaYgLXTWNLxBo1BfASdW tL4ndQavEi51mI38AjEAi/V3bNTIZargCyzuFJ0nN6T5U6VR5CmD1/iQMVtCnwr1 /q4AaOeMSQ+2b1tbFfLnMBgwCgYIKwYBBQUHAwGgCgYIKwYBBQUHAwI= -----END TRUSTED CERTIFICATE-----
If you want to remove those trust attibutes, you can use the "openssl x509 -clrtrust -clrreject" command.
herong$ openssl x509 -clrtrust -clrreject \ -in ISRG-Root-X2-trust.pem -out ISRG-Root-X2-trust-clr.pem
Note that if you convert an OpenSSL PEM certificate with trust attributes to DER format, those trust attributes will not be converted.
herong$ openssl x509 -in ISRG-Root-X2-trust.pem \ -outform DER -out ISRG-Root-X2-trust.der herong$ openssl x509 -in ISRG-Root-X2.pem \ -outform DER -out ISRG-Root-X2.der herong$ ls -l *.der -rw-r--r-- 1 herong staff 543 May 11 09:32 ISRG-Root-X2-trust.der -rw-r--r-- 1 herong staff 543 May 11 09:33 ISRG-Root-X2.der
Of course, penSSL PEM certificate format be used to store multiple certificates in a single file. Each certificate in the file is bounded by the BEGIN TRUSTED CERTIFICATE and END TRUSTED CERTIFICATE delimiter lines.
Table of Contents
Introduction of PKI (Public Key Infrastructure)
Introduction of PKI Certificate
What Is ASN.1 (Abstract Syntax Notation One)
What Is BER (Basic Encoding Rules)
ASN.1 Type Modifier - Type Tagging
What Is DER (Distinguished Encoding Rules)
PKI Certificate Structure in ASN.1 Notations
PKI Certificate in Base64 Format
►PKI Certificate in OpenSSL PEM Format
PKI Certificate File Viewer and Decoder
PKI Certificate File ASN.1 Parser
Certificate Wrapped in PKCS7 Formats
Certificate Wrapped in PKCS12 Formats
Certificate File Format Summary
OpenSSL - Cryptography Toolkit
"openssl ca" - CA (Certificate Authority) Tool
Java "keytool" Commands and KeyStore Files
PKCS12 Certificate Bundle File
Linux Trust Store for CA Certificates
ca-certificates - Linux CA Certificate Package
update-ca-trust Command on Red Hat Computers