Shulou(Shulou.com)06/01 Report--

All kinds of certificates are stored in different contents (such as whether they contain public / private keys, encrypted storage / single certificate or multiple certificates, etc.), adopt different codes (DER/BASE64), and have different standards (such as PEM/PKCS), so although the X.509 standard provides for certificate content specifications, certificate files are still varied.

In practical applications, certificate format conversion is often required. For example, certificates in PEM format are required when configuring certificate servers in Linux scenarios such as VMware Operation Manager and Identity Manager, but many people only have certificates in CER format. Fortunately, openssl has good support for these different standards and can be used to convert certificates of different formats. This article will take the SSL format conversion in Identity Manager scene as an example to demonstrate.

Certificate export

In this environment, CA certification authorities within the enterprise will issue certificates for them, so the certificate format obtained is Cer or pfx format that is easy for Windows to recognize. First, we export the certificate.

The private key is required for the Identity Manager of this environment, so choose to export the private key

Note: generally speaking, certificates in pem format need to be exported and identified.

When the export private key is checked, only pfx can be selected as the file format

Set password

Select the export path

Export complete

At the same time, we also need to export the certificate of the enterprise's root certificate authority for export.

The root certificate chooses not to export the private key. Note: exporting a certificate from a root certification authority is a very dangerous thing

We choose "base64 Encoding" for certificate format.

Export complete

Now that we have a server certificate and a corresponding root certificate authority certificate, we can convert the certificate format through openssl.

Certificate format conversion

Before installing openssl, install Microsoft Visual C++ 2008 Redistributable Package (x86) on your system. To download the software package, (download address:

Https://www.microsoft.com/en-us/download/confirmation.aspx?id=29)

Download the Shining Light Productions installer for OpenSSL x86 at Shining Light Productions. This is the software developed by OpenSSL Project. Click install when the download is complete, and by default it will be installed in the root directory of disk C.

Enter the bin directory of the installation directory through cmd

First convert pfx format to pem format

And use the following command to convert the certificate exported above to pem format (without private key)

Openssl pkcs12-in c:\ idm.pfx-clcerts-nokeys-out c:\ idm.pem

(the above command is to convert the idm.pfx certificate in pkcs12 format to pem format through openssl, where-nokeys specifies that if you do not need to export the private key, the command needs to specify the specific certificate location according to your own situation)

Then the private key is also converted to pem format by command, and the password is required during the conversion output.

Openssl pkcs12-in c:\ idm.pfx-nocerts-out c:\ idm.key.pem

(- nocerts only converts the private key to control that the certificate is not converted)

Finally, the private key in pem format is converted to rsa by command.

Open the C disk to see that it has generated a certificate in pem format and a private key in pem format

Finally, convert the root certificate to pem format

That is, the process of converting from CER format to PEM is as follows

Openssl.exe x509-in c:\ rootca.cer-out c:\ rootca.pem

Of course, in addition to pfx and the conversion from Cer to pem, openssl also supports many other formats. The basic references are as follows:

PEM--DER/CER (conversion of BASE64--DER coding)

Openssl x509-outform der-in certificate.pem-out certificate.der

EM--P7B (PEM--PKCS#7)

Openssl crl2pkcs7-nocrl-certfile certificate.cer-out certificate.p7b-certfile CACert.cer

PEM--PFX (PEM--PKCS#12)

Openssl pkcs12-export-out certificate.pfx-inkey privateKey.key-in certificate.crt-certfile CACert.crt

PEM--p12 (PEM--PKCS#12)

Openssl pkcs12-export-out Cert.p12-in Cert.pem-inkey key.pem

CER/DER--PEM (coded DER--BASE64)

Openssl x509-inform der-in certificate.cer-out certificate.pem

P7B--PEM (PKCS#7--PEM)

Openssl pkcs7-print_certs-in certificate.p7b-out certificate.cer

P7B--PFX (PKCS#7--PKCS#12)

Openssl pkcs7-print_certs-in certificate.p7b-out certificate.cer

Openssl pkcs12-export-in certificate.cer-inkey privateKey.key-out certificate.pfx-certfile CACert.cer

PFX/p12--PEM (PKCS#12--PEM)

Openssl pkcs12-in certificate.pfx-out certificate.cer

If you do not need to encrypt the private key in pem, you can add the option-nodes;. If you do not need to export the private key, you can add the option-nokeys.

PEM BASE64--X.509 text format

Openssl x509-in Key.pem-text-out Cert.pem

Extract private key (.key) from PFX file

Openssl pkcs12-in mycert.pfx-nocerts-nodes-out mycert.key

PEM--SPC

Openssl crl2pkcs7-nocrl-certfile venus.pem-outform DER-out venus.spc

PEM--PVK (supported by openssl 1.x)

Openssl rsa-in mycert.pem-outform PVK-pvk-strong-out mypvk.pvk

PEM--PVK (for versions prior to openssl 1.x, you can download the PVK converter with the following command)

Pvk-in ca.key-out ca.pvk-nocrypt-topvk

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.