Concepts and primary understanding of digital certificates

Well-organized articles http://www.cnblogs.com/littlehann/p/3738141.htmlConversion

of different certificate formatshttp://blog.csdn.net/adeyi/article/details/8299473Common
digital certificate formatshttp: //laokaddk.blog.51cto.com/368606/430242/The


main file types and protocols of certificates are: PEM, DER, PFX, JKS, KDB, CER, KEY, CSR, CRT, CRL, OCSP, SCEP, etc.

PEM - Openssl uses the PEM (Privacy Enhanced Mail) format to store various information, which is the default information storage method used by openssl. The PEM file in Openssl generally contains the following information:

Content type: Indicates what information content is stored in this file. Its format is "——-BEGIN XXXX ——", which corresponds to the ending "——END XXXX——".
Header information: Indicates that if the data is stored after being processed, the most used encryption information in openssl, such as encryption algorithm and initialization vector iv.
Body: Data encoded in BASE64. Can include all private keys (RSA and DSA), public keys (RSA and DSA), and (x509) certificates. It stores DER formatted data encoded in Base64, surrounded by ascii headers, so it is suitable for text mode transfer between systems.
Certificates stored in PEM format:
—–BEGIN CERTIFICATE––
MIICJjCCAdCgAwIBAgIBITANBgkqhkiG9w0BAQQFADCBqTELMAkGA1UEBhMCVVMx
.........
1p8h5vkHVbMu1frD1UgGnPlOO / K7Ig / KrsU =
--END CERTIFICATE--
using the private key stored in PEM format:
--BEGIN the RSA key - Your PRIVATE MIICJjCCAdCgAwIBAgIBITANBgkqhkiG9w0BAQQFADCBqTELMAkGA1UEBhMCVVMx
.........
1p8h5vkHVbMu1frD1UgGnPlOO
/ K7Ig / KrsU =
--END the RSA key - Your PRIVATE
Certificate request files stored in PEM format:
—–BEGIN CERTIFICATE REQUEST—–
MIICJjCCAdCgAwIBAgIBITANBgkqhkiG9w0BAQQFADCBqTELMAkGA1UEBhMCVVMx
 …
1p8h5vkHVbMu1frD1UgGnPlOO/K7Ig/KrsU=
—–END CERTIFICATE REQUEST—–

DER – Distinguishing encoding rules (DER DER) Certificate. It is the default format for most browsers and is stored in ASN1 DER format. It is headerless - PEM is DER surrounded by text headers.
PFX or P12 – Public Key Cryptography Standard #12 (PKCS#12) can contain all private keys, public keys and certificates. It is stored in a binary format, also known as a PFX file. Usually, the "KEY file + CRT file" format used by Apache/OpenSSL can be merged and converted into a standard PFX file. You can import the PFX file format into Microsoft IIS 5/6, Microsoft ISA, Microsoft Exchange Server and other software. When converting, you need to enter the encryption password of the PFX file.
JKS - Usually, the "KEY file + CRT file" format used by Apache/OpenSSL can be converted into a standard Java Key Store (JKS) file. The JKS file format is widely used in JAVA-based WEB servers, application servers, and middleware. .You can import JKS files into TOMCAT, WEBLOGIC and other software.
KDB - usually can convert the "KEY file + CRT file" format used by Apache/OpenSSL to standard IBM KDB file. The KDB file format is widely used in IBM's WEB server, application server, middleware. You can import the KDB file into IBM HTTP Server, IBM Websphere and other software.
CSR - Certificate Signing Request. Before generating an X509 digital certificate, the user generally submits a certificate application file , and then the CA will issue the certificate. The general process is as follows (the format standard of X509 certificate application is pkcs#10 and rfc2314):

the user generates his own public and private key pair;
constructs his own certificate application file, which conforms to the PKCS#10 standard. It includes user information, public key and some optional attribute information, and signs the content with its own private key; the
user submits the certificate application file to the CA;
The CA verifies the signature, extracts the user information, adds other information (such as the issuer and other information), and issues a digital certificate with the CA's private key;
Note: a digital certificate (such as x. The information carrier for public key binding. A valid digital certificate must not only conform to the X509 format specification, but also must have the signature of the CA. Users not only have their own digital certificate, but also must have the corresponding private key. The main contents of X509v3 digital certificate are: certificate version, certificate serial number, signature algorithm, issuer information, valid time, holder information, public key information, issuer ID, holder ID and extension items.
OCSP - Online Certificate Status Protocol (OCSP, Online Certificate Status Protocol, rfc2560) is used to indicate certificate status in real time. The OCSP client determines the status of a certificate by querying the OCSP service, and can provide the user with the validity information of one or more digital certificates. It establishes a real-time response mechanism, allowing the user to confirm the validity of each certificate in real time. , to solve the security problems caused by CRL. . OCSP can be implemented through the HTTP protocol. rfc2560 defines the message format for OCSP clients and servers.
CER - generally refers to certificates using the DER format.
CRT - Certificate file. Can be in PEM format.
KEY - generally refers to the private key file in PEM format.
CRL - Certificate Revocation List (Certification Revocation List) is a signed data structure that contains a list of revoked certificates. CRL is a form of publication of certificate revocation status. CRL is like a blacklist of credit cards, which is used to announce that certain digital certificates are no longer valid. CRL is an offline certificate status information. It is updated on a certain cycle. CRLs can be divided into full CRLs and incremental CRLs. The complete CRL contains all the revoked certificate information, and the incremental CRL is a series of CRLs to indicate the revoked certificate information. The CRL issued each time is an incremental extension to the previously issued CRL. The basic CRL information includes: the serial number of the revoked certificate, the revocation time, the reason for revocation, the signer, and the CRL signature. CRL-based authentication is a looser form of certificate authentication. A CRL can prove that a certificate revoked in a CRL is invalid. However, it cannot give the status of certificates that are not in the CRL. If strict certification is implemented, it needs to be certified online, that is, OCSP certification. Generally a set of electronic documents signed by CA, including the unique identification (certificate serial number) of the revoked certificate, CRL is used to list expired or revoked digital certificates. It is updated every so often, so the checklist must be downloaded regularly to get the latest information.
SCEP - Simple Certificate Enrollment Protocol. The file-based certificate enrollment method requires copying and pasting text files from your local computer to the Certificate Authority, and from the Certificate Authority to your local computer. SCEP can handle this process automatically but CRLs still need to be manually copied and pasted between the local computer and the CA publishing center.
PKCS7 - Encrypted Message Syntax (pkcs7), a format standard for storing various messages. These messages include: data, signed data, digital envelope, signed digital envelope, digest data and encrypted data.
PKCS12 – pkcs12 (Personal Digital Certificate Standard) is used to store user certificates, crls, user private keys and certificate chains. The private key in pkcs12 is encrypted and stored.