Skip to content

Instantly share code, notes, and snippets.

@leommoore

leommoore/openssl.markdown

Created November 26, 2012 14:42
Show Gist options
  • Save leommoore/4148559 to your computer and use it in GitHub Desktop.
Save leommoore/4148559 to your computer and use it in GitHub Desktop.
Download ZIP
OpenSSL Basics
Raw
openssl.markdown

#OpenSSL Basics

##Certificate Types

  • CA Certificate Authority
  • CRL Certificate Revocation List
  • CSR Certificate Signing Request
  • DCA Deligate Certificate Authority
  • DER Data Encryption Standard
  • DES Data Encryption Standard
  • DH Diffie-Hellmann
  • DSA Digital Signature Algorithm
  • DSS Digital Signature Standard
  • ICE Interworking Public Key Certification Infrastructure for Europe
  • IDEA International Data Encryption Algorthm
  • MD5 Message Digest #5
  • PEM Privacy Enhanced Mail
  • PGP Pretty Good Privacy
  • PKI Public-Key Infrastructure
  • PKIX Public-Key Infrastructure on X.509 basis
  • RSA Ron Rivest, Fiat Shamir, Leonard Adleman
  • SHA Secure Hash Algorithm
  • S/MIME Secure/Multipurpose Internet Mail Extentions
  • SSL Secure Socket Layer
  • X.509 ITU-T recommendations X.509 (the Directory - Authentication Framework)

#Certificate Types

  • .csr This is a Certificate Signing Request. Some applications can generate these for submission to certificate-authorities. It includes some/all of the key details of the requested certificate such as subject, organization, state, whatnot. These get signed by the CA and a certificate is returned. The returned certificate is the public certificate, which itself can be in a couple of formats.

  • .pem This is the public-key of a specific certificate. In apache installs, this frequently resides in /etc/ssl/servercerts. This is also the format used for Certificate Authority certificates (/etc/ssl/certs)

  • .key This is the private-key of a specific certificate. In apache installs, this frequently resides in /etc/ssl/private. The rights on this directory and the certificates is very important, and some programs will refuse to load these certificates if they are set wrong.

  • .pkcs12 .pfx .p12 A passworded container format that contains both public and private certificate pairs. Every time I get one I have to google to remember the openssl-fu required to break it into .key and .pem files.

  • .der Fills the same function as a .pem file, but a different format. OpenSSL can convert these to .pem. I've only ever run into them in the wild with Novell's eDirectory certificate authority.

  • .cert .cer A .pem file with a different extension. This extension is recognized by Windows Explorer as a certificate, which .pem is not.

  • .crl A certificate revocation list. Certificate Authorities produce these as a way to de-authorize certificates before expiration.

##How to convert a cert from DER format to PEM format and vice versa?

Resolution: To convert a binary format cert/key (DER) to a PEM format cert/key or vice versa, the tools from openssl (www.openssl.org ) can be used.

Here are the commands:

  1. To convert a cert from DER format to PEM format: openssl x509 -in input.cer -inform DER -out output.cer -outform PEM

  2. To convert a cert from PEM format to DER format: openssl x509 -in input.cer -inform PEM -out output.cer -outform DER

  3. To convert a private key from DER format to PEM format: openssl rsa -in inkey.cer -inform DER -out outkey.cer -outform PEM

  4. To convert a private key from PEM format to DER format: openssl rsa -in inkey.cer -inform PEM -out outkey.cer -outform DER

#References

http://www.akadia.com/services/ssh_test_certificate.html
http://www.freebsdmadeeasy.com/tutorials/freebsd/create-a-ca-with-openssl.php
http://blog.didierstevens.com/2008/12/30/howto-make-your-own-cert-with-openssl/
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment