jks is a certificate private key format supported by JAVA 's keytools certificate tool.
pfx is a private key format supported by Microsoft.
cer is the public key of the certificate.
If you want to back up the certificate privately, remember to back it up in jks or pfx format, otherwise it cannot be restored.
To put it simply, cer is the address of your email address. You can give this address to many people and let them send letters to it.
pfx or jks is the key to your mailbox, others can pretend to be you to read the letter in your mailbox, if you lose this, you can't open the mailbox
=============== ======
=====================
https://blog.csdn.net/problem2050/article/details/50528704
PFX file extract public key private key
method 1:
Original PFX certificate
openssl pkcs12 -in myssl.pfx -nodes -out server.pem
Extract the private keyopenssl rsa -in server.pem -out server.key
come up with public key
openssl x509 -in server.pem -out server.crt
Method 2:
2. Extract key information from pfx and convert it to key format (pfx uses pkcs12 mode to complement)
(1) Extract the key pair
openssl pkcs12 -in 1.pfx -nocerts -nodes -out 1.key
//If the pfx certificate is encrypted, you will be prompted for a password. If the cer certificate is not installed, the password cannot be verified
(2) Extract the private key from the key pair
openssl rsa -in 1.key -out 1_pri.key
(3) Extract the public key from the key pair
openssl rsa -in 1.key -pubout -out 1_pub.key
(4) Because the RSA algorithm uses the pkcs8 mode complement, the extracted private key needs to be further processed
openssl pkcs8 -topk8 -inform PEM -in 1_pri.key -outform PEM -nocrypt
Copy the key generated in the window and save it as 1_pri_pkcs8.key
(5) Get the key pair 1_pri_pkcs8.key and 1_pub.key
Private key conversion tool in pkcs8 format. It handles private key files in PKCS#8 format. It can handle PKCS#8 PrivateKeyInfo format and EncryptedPrivateKeyInfo format without decryption with various PKCS#5 (v1.5 and v2.0) and PKCS#12 algorithms.
Usage:
[cpp] view plaincopy
openssl pkcs8 [-inform PEM|DER] [-outform PEM|DER] [-in filename] [-passin arg] [-out filename]
[-passout arg] [-topk8] [-noiter ] [-nocrypt] [-nooct] [-embed] [-nsdb] [-v2 alg] [-v1 alg] [-engine id]
Option description:
-inform PEM|DER: input file format, DER or PEM format . The DER format adopts the DER standard format of ASN1. Generally, the PEM format is mostly used, which is the base64 encoding format.
-outform DER|PEM: Output file format, DER or PEM format.
-in filename: Input key file, default is standard input. If the key is encrypted, you will be prompted for a key passphrase.
-passin arg: Input file password protection source.
-out filename: output file, default is standard output. If any cryptographic operations have been performed, you will be prompted for a key value. The output file name cannot be the same as the input file name.
-passout arg: Output file password protection source.
-topk8: Usually a pkcs8 file is input and the traditional format private key file will be written out. When this option is set, the location is converted: input a private key file in traditional format, output a file in PKCS#8 format.
-noiter: The number of MAC protection calculations is 1.
-nocrypt: PKCS#8 key generation or input typically encrypts the PKCS#8 EncryptedPrivateKeyInfo structure with an appropriate key. When this option is set, an unencrypted PrivateKeyInfo structure will be output. This option never encrypts the private key file and can only be used when absolutely necessary. Some software such as some JAVA code signing software use unencrypted private key files.
-nooct: The RSA private key file produced by this option is in a bad format that some software will use. In particular, the private key file must be appended with an octet string, but some software simply contains the structure itself without wrapping the octet string. The private key is not represented in octets.
-embed: The RSA private key file produced by this option is in a bad format. The embedded DSA parameter format is used in the private key structure. In this form, the octet string contains two structures in the ASN1 SEQUENCE: a SEQUENCE containing the key parameter, and an ASN1 INTEGER containing the private key value.
-nsdb: The RSA private key file generated by this option is in a bad format and is compatible with the Netscape private key file database. Use NetscapeDB's DSA format.
-v2 alg: Use PKCS#5 v2.0 and specify the encryption algorithm, the default is the PKCS#8 private key file called B<pbeWithMD5AndDES-CBC> (this algorithm uses 56-byte DES encryption but in PKCS#5 v1 .5 has a stronger encryption algorithm) encryption algorithm is encrypted with a password. With the B<-v2> option, PKCS#5 v2.0 related algorithms will be used, either des3 (168 bytes) or rc2 (128 bytes), des3 is recommended.
-v1 alg: Use PKCS#5 v1.5 or pkcs12, and specify the encryption algorithm. The algorithms that can be used are listed below.
-engine id: Specifies the hardware engine.
NOTE:
Encrypted PEM-encoded PKCS#8 file forms have the following headers and trailers:
-----BEGIN ENCRYPTED PRIVATE KEY-----
-----END ENCRYPTED PRIVATE KEY-----
unencrypted The form is used:
-----BEGIN PRIVATE KEY-----
-----END PRIVATE KEY-----
Compared with the traditional SSLeay algorithm, use the PKCS#5 v2.0 series of algorithms to encrypt private data key, has higher security and the number of iterations. The added security is then well thought out.
The default encryption algorithm is only 56 bytes because it is the best method supported by PKCS#8.
There is some software that uses PKCS#12 key-based encryption algorithm to encrypt private keys in PKCS#8 format: they are handled automatically but there is no option to do so.
In the PKCS#8 format, it is possible to output the encrypted private key file in DER encoded format, because the encryption details are contained in the DER level, as opposed to the traditional format contained in the PEM Deng Li.
PKCS#5 v1.5 and PKCS#12 algorithms:
Various algorithms can be used with option -v1. Contains PKCS#5 v1.5 and PKCS#12 algorithms. The detailed description is as follows:
B<PBE-MD2-DES PBE-MD5-DES>: These two algorithms are included in PKCS#5 v1.5. They only provide 56 bytes of protection, and the encryption algorithm uses DES.
B<PBE-SHA1-RC2-64 PBE-MD2-RC2-64 PBE-MD5-RC2-64 PBE-SHA1-DES>: they are not mentioned in legacy PKCS#5 v1.5, but they use the same The local key extraction algorithm is supported by some software. Mentioned in PKCS#5 v2.0. They use 64 bytes of RC2 and 56 bytes of DES.
B<PBE-SHA1-RC4-128 PBE-SHA1-RC4-40 PBE-SHA1-3DES PBE-SHA1-2DES PBE-SHA1-RC2-128 PBE-SHA1-RC2-40>: They are PKCS#12 based keys encryption algorithms, they allow the use of high-strength encryption algorithms such as 3des or 128-bit RC2.
Example:
Convert traditional private key file to PKCS#5 v2.0 with 3des algorithm:
[cpp] view plaincopy
openssl pkcs8 -in key.pem -topk8 -v2 des3 -out enckey.pem
with PKCS#5 1.5 compatible DES Algorithm to convert private key file to pkcs8 file:
[html] view plaincopy
openssl pkcs8 -in ocspserverkey.pem -topk8 -out ocspkcs8key.pem
Convert private key file to pkcs8 file with PKCS#12 compatible 3DES algorithm:
[html] view plaincopy
openssl pkcs8 -in key.pem -topk8 -out enckey.pem -v1 PBE-SHA1-3DES to
read a private key in PKCS#8 format encrypted in DER format:
[cpp] view plaincopy
openssl pkcs8 -inform DER -nocrypt -in key.der -out key.pem
Convert a private key in PKCS#8 format to a traditional private key:
[cpp] view plaincopy
openssl pkcs8 -in pk8.pem - out key.pem
The private key in pkcs8 is stored in plaintext:
[html] view plaincopy
openssl pkcs8 -in ocspserverkey.pem -topk8 -nocrypt -out ocspkcs8key.pem
Standard:
The implementation of the test vector of PKCS#5 v2.0 is based on notification The form is encrypted with high-strength iteration algorithms 3DES, DES and RC2. Many people want to confirm that they can decrypt the resulting private key.
DSA private key files in PKCS#8 format have no remarks file: Section 11.9 is hidden in PKCS#11 v2.01. OpenSSL's default DSA PKCS#8 private key format is hidden in this standard.
BUGs:
There had to be an option to print additional details of the encryption algorithm used, such as the number of iterations.
PKCS#8 with 3DES and PKCS#5 v2.0 must be the default private key file: currently for command compatibility.
=====================
=====================
Create openssl pfx certificate file
https://blog.csdn.net/lixiaowei16/article/details/72639817
1. Generate key
Input genrsa -out openssl.key 1024
to generate openssl.key file.
openssl.key is the name of the key, and 1024 is the key length
2. Generate cer certificate
Then enterreq -new -x509 -key openssl.key -out openssl.cer -days 3650 -subj /CN=***.website
openssl.key is the name of the previously generated key, openssl.cer is the name of the generated certificate, 3650 is the number of days the certificate will expire, and the CN parameter ***.website is your host name or IP address (must be written correctly here, otherwise If you visit in the future, the browser will prompt that there is a risk).
This generates the certificate file openssl.cer
3. Generate the required PFX private key file
enterpkcs12 -export -out openssl.pfx -inkey openssl.key -in openssl.cer
It will let you enter the password, which is used when using the private key (don't forget it).
This generates the private key file openssl.pfx.
4. Generate crt certificate
Since the mobile phone requires a crt certificate, the crt
input is also generated if necessaryreq -new -x509 -key openssl.key -out openssl.crt -days 3650