Those certificates related stuff (SSL, X.509, PEM, DER, CRT, CER, KEY, CSR, P12, etc.)
Before did not come into contact with the certificate encryption, these certificates related to the concept of feeling is really quite tricky, because all of a sudden to a lot of new terms, looks like something from another area, rather than the familiar programming areas those things, at least I personally feel that, and how did they get to know a very long time. the purpose of writing this article is to clarify the reason these concepts to figure out their meaning and relevance, as well as some basic operations.
SSL
SSL - Secure Sockets Layer, should now be called "TLS", but because of habit, we still called "SSL" are more .http protocol by default content is not encrypted, so that would probably be content to listen when others spread that for higher security requirements of the occasion, it must be encrypted with https is encrypted http protocol, https and SSL-based encryption is that it is performed by a relatively lower encryption, that is, prior to encryption, your server program doing, doing the same after encryption, do not move, this encryption users and developers are transparent .More: [ Wikipedia ]
OpenSSL - Simply put, OpenSSL is an implementation of SSL, SSL is just a theory, norms, such norms are SSL security, the current level of technology is difficult to break, but it may be some SSL implementation vulnerability, such as the famous. the "bleeding heart" .OpenSSL also offers a lot of powerful software tools, we are strong enough to use less than 90%.
Certificate Standard
X.509 - This is a certificate standard, which defines the main content of the certificate should contain the details of which can refer to the RFC5280, SSL uses this certificate standard.
Encoding format
The same X.509 certificates, may have a different encoding format, there are two encoding formats.
PEM - Privacy Enhanced Mail, open to see the text format to "----- BEGIN ..." at the beginning, "----- END ..." at the end, content is BASE64 encoding.
View certificate information in PEM format: -IN certificate.pem -text -noout X509 OpenSSL
the Apache server, and * NIX prefer to use this encoding format.
DER - Distinguished Encoding Rules, open look is a binary format, unreadable.
View certificate information in DER format: OpenSSL X509 -IN certificate.der -inform der -text -noout
the Java and Windows servers tend to use this encoding format.
The associated file extensions
This is a rather misleading place, although we already know that there are both PEM and DER encoded format, but the file extension is not necessarily called "PEM" or "DER", common extensions in addition there are the following PEM and DER these, in addition to their encoding format may be different, there are differences in content, but most can be encoded format conversion.
CRT - CRT should be a certificate of three letters, but it is still a certificate of meaning, common in * NIX systems, there may be a PEM encoded, there may be DER encoded, most should be PEM coded, I believe you already know how to distinguish.
CER - or certificate, or a certificate, is common in Windows systems, the same could be PEM encoded, it may be DER encoded, most should be DER encoded.
KEY - usually used to store a public or private, is not X.509 certificates, encoding the same, probably PEM, it may be DER.
View KEY ways: openssl rsa -in mykey.key -text -noout
if it is dER format, empathy should be the case: OpenSSL rsa -IN mykey.key -text -noout -inform der
CSR - Certificate Signing Request, namely the certificate signing request, this is not a certificate, but get an application signing certificate authority certificate of authority to its core content is a public key (of course also comes with some other information), in this generation when you apply, but also generate a private key, the private key is to take good care of yourself done iOS APP friends should know how to apply the Apple Developer certificate of it..
way to view: openssl req -noout -text - in my.csr (dER format if it is business as usual, then add -inform der, I do not write here)
PFX / P12 - predecessor of PKCS # 12, on * nix server, the general CRT and KEY is stored separately in different files, but Windows, IIS will they exist a PFX file, (so this file contains the certificate and a private key) this will not be insecure? It should not be, there is usually a PFX "extract passwords," there's something you want to read out of it, it will ask you to provide extraction password, DER encoded PFX use, how to convert PFX to PEM encoded?
openssl pkcs12 -in for-iis.pfx -out for -iis.pem -nodes
this time you will be prompted to enter the code for-iis.pem extract is readable text..
generated pfx command like this: openssl pkcs12 -export - in certificate.crt -inkey privateKey.key -out certificate.pfx -certfile CACert.crt
Which is CACert.crt CA (certificate authority Authority) root certificate, go together with any, by -certfile parameters. So it seems, PFX is actually a certificate key database.
JKS - namely Java Key Storage, which is Java patent, little to do with OpenSSL relationship between the use of Java called "keytool" tool, PFX can be converted to JKS, of course, keytool can also generate JKS directly, but in this not to the table.
Certificate encoding conversion
PEM into DER OpenSSL X509 -IN cert.crt -outform der -out cert.der
DER转为PEM openssl x509 -in cert.crt -inform der -outform pem -out cert.pem
(Tip: To convert KEY files are also similar, but the x509 into rsa, to turn CSR words, the x509 replaced req ...)
Obtain the certificate
Request certificates to a certificate authority
This command is used to generate a csr: openssl req -newkey rsa: 2048 -new -nodes -keyout my.key -out my.csr
the authority csr to the certificate authority, the authority to sign this certificate authority, complete retention is good. csr, when the certificate authority certificate authority expired, you can use the same csr to apply for a new certificate, key remains unchanged.
Or generate a self-signed certificate
openssl req -newkey rsa: 2048 -new -nodes -x509 -days 3650 -keyout key.pem -out cert.pem
in the process of generating the certificate will ask you to fill in a bunch of things, in fact, really want fill only Common Name, generally fill in your domain name server, such as "yourcompany.com", or IP address of your server, the other can be left blank.
production environment or do not use self-signed certificate, otherwise the browser will not recognize, or if you are a business application, then be able to force the user's browser to accept your self-signed certificate is required. Ask for a certificate authority is usually money, but now there is a free, requiring only a simple domain name verification that is may have interested, look up "Wo digital certificate."
Before did not come into contact with the certificate encryption, these certificates related to the concept of feeling is really quite tricky, because all of a sudden to a lot of new terms, looks like something from another area, rather than the familiar programming areas those things, at least I personally feel that, and how did they get to know a very long time. the purpose of writing this article is to clarify the reason these concepts to figure out their meaning and relevance, as well as some basic operations.
SSL
SSL - Secure Sockets Layer, should now be called "TLS", but because of habit, we still called "SSL" are more .http protocol by default content is not encrypted, so that would probably be content to listen when others spread that for higher security requirements of the occasion, it must be encrypted with https is encrypted http protocol, https and SSL-based encryption is that it is performed by a relatively lower encryption, that is, prior to encryption, your server program doing, doing the same after encryption, do not move, this encryption users and developers are transparent .More: [ Wikipedia ]
OpenSSL - Simply put, OpenSSL is an implementation of SSL, SSL is just a theory, norms, such norms are SSL security, the current level of technology is difficult to break, but it may be some SSL implementation vulnerability, such as the famous. the "bleeding heart" .OpenSSL also offers a lot of powerful software tools, we are strong enough to use less than 90%.
Certificate Standard
X.509 - This is a certificate standard, which defines the main content of the certificate should contain the details of which can refer to the RFC5280, SSL uses this certificate standard.
Encoding format
The same X.509 certificates, may have a different encoding format, there are two encoding formats.
PEM - Privacy Enhanced Mail, open to see the text format to "----- BEGIN ..." at the beginning, "----- END ..." at the end, content is BASE64 encoding.
View certificate information in PEM format: -IN certificate.pem -text -noout X509 OpenSSL
the Apache server, and * NIX prefer to use this encoding format.
DER - Distinguished Encoding Rules, open look is a binary format, unreadable.
View certificate information in DER format: OpenSSL X509 -IN certificate.der -inform der -text -noout
the Java and Windows servers tend to use this encoding format.
The associated file extensions
This is a rather misleading place, although we already know that there are both PEM and DER encoded format, but the file extension is not necessarily called "PEM" or "DER", common extensions in addition there are the following PEM and DER these, in addition to their encoding format may be different, there are differences in content, but most can be encoded format conversion.
CRT - CRT should be a certificate of three letters, but it is still a certificate of meaning, common in * NIX systems, there may be a PEM encoded, there may be DER encoded, most should be PEM coded, I believe you already know how to distinguish.
CER - or certificate, or a certificate, is common in Windows systems, the same could be PEM encoded, it may be DER encoded, most should be DER encoded.
KEY - usually used to store a public or private, is not X.509 certificates, encoding the same, probably PEM, it may be DER.
View KEY ways: openssl rsa -in mykey.key -text -noout
if it is dER format, empathy should be the case: OpenSSL rsa -IN mykey.key -text -noout -inform der
CSR - Certificate Signing Request, namely the certificate signing request, this is not a certificate, but get an application signing certificate authority certificate of authority to its core content is a public key (of course also comes with some other information), in this generation when you apply, but also generate a private key, the private key is to take good care of yourself done iOS APP friends should know how to apply the Apple Developer certificate of it..
way to view: openssl req -noout -text - in my.csr (dER format if it is business as usual, then add -inform der, I do not write here)
PFX / P12 - predecessor of PKCS # 12, on * nix server, the general CRT and KEY is stored separately in different files, but Windows, IIS will they exist a PFX file, (so this file contains the certificate and a private key) this will not be insecure? It should not be, there is usually a PFX "extract passwords," there's something you want to read out of it, it will ask you to provide extraction password, DER encoded PFX use, how to convert PFX to PEM encoded?
openssl pkcs12 -in for-iis.pfx -out for -iis.pem -nodes
this time you will be prompted to enter the code for-iis.pem extract is readable text..
generated pfx command like this: openssl pkcs12 -export - in certificate.crt -inkey privateKey.key -out certificate.pfx -certfile CACert.crt
Which is CACert.crt CA (certificate authority Authority) root certificate, go together with any, by -certfile parameters. So it seems, PFX is actually a certificate key database.
JKS - namely Java Key Storage, which is Java patent, little to do with OpenSSL relationship between the use of Java called "keytool" tool, PFX can be converted to JKS, of course, keytool can also generate JKS directly, but in this not to the table.
Certificate encoding conversion
PEM into DER OpenSSL X509 -IN cert.crt -outform der -out cert.der
DER转为PEM openssl x509 -in cert.crt -inform der -outform pem -out cert.pem
(Tip: To convert KEY files are also similar, but the x509 into rsa, to turn CSR words, the x509 replaced req ...)
Obtain the certificate
Request certificates to a certificate authority
This command is used to generate a csr: openssl req -newkey rsa: 2048 -new -nodes -keyout my.key -out my.csr
the authority csr to the certificate authority, the authority to sign this certificate authority, complete retention is good. csr, when the certificate authority certificate authority expired, you can use the same csr to apply for a new certificate, key remains unchanged.
Or generate a self-signed certificate
openssl req -newkey rsa: 2048 -new -nodes -x509 -days 3650 -keyout key.pem -out cert.pem
in the process of generating the certificate will ask you to fill in a bunch of things, in fact, really want fill only Common Name, generally fill in your domain name server, such as "yourcompany.com", or IP address of your server, the other can be left blank.
production environment or do not use self-signed certificate, otherwise the browser will not recognize, or if you are a business application, then be able to force the user's browser to accept your self-signed certificate is required. Ask for a certificate authority is usually money, but now there is a free, requiring only a simple domain name verification that is may have interested, look up "Wo digital certificate."