Certificates and Encodings
Certificates can be encoded as:
- Binary files
- ASCII (base64)files
Common file extensions in use are:
- .DER
- .PEM (Privacy Enhanced Electron Mail)
- .CRT
- .CERT
Note:
There is no real correlation between the file extension and encoding. That means a .crt file can either be a .der encoded file or .pem encoded file.
How do I know if you have a .der or .pem encoded file?
At its core an X.509 certificate is a digital document that has been encoded and/or digitally signed according to RFC 5280.
In fact, the term X.509 certificate usually refers to the IETF’s PKIX Certificate and CRL Profile of the X.509 v3 certificate standard, as specified in RFC 5280, commonly referred to as PKIX for Public Key Infrastructure (X.509).
X509 File Extensions
The first thing we have to understand is what each type of file extension is. There is a lot of confusion about what DER, PEM, CRT, and CER are and many have incorrectly said that they are all interchangeable. While in certain cases some can be interchanged the best practice is to identify how your certificate is encoded and then label it correctly. Correctly labeled certificates will be much easier to manipulate
Encodings (also used as extensions)
.DER = The DER extension is used for binary DER encoded certificates. These files may also bear the CER or the CRT extension. Proper English usage would be I have a DER encoded certificate not I have a DER certificate.
.PEM = The PEM extension is used for different types of X.509v3 files which contain ASCII (Base64) armored data prefixed with a —– BEGIN … line.
Common Extensions
.CRT = The CRT extension is used for certificates. The certificates may be encoded as binary DER or as ASCII PEM. The CER and CRT extensions are nearly synonymous. Most common among *nix systems
.CER = alternate form of .crt (Microsoft Convention) You can use MS to convert .crt to .cer (.both DER encoded .cer, or base64[PEM] encoded .cer) The .cer file extension is also recognized by IE as a command to run a MS cryptoAPI command (specifically rundll32.exe cryptext.dll,CryptExtOpenCER) which displays a dialogue for importing and/or viewing certificate contents.
.KEY = The KEY extension is used both for public and private PKCS#8 keys. The keys may be encoded as binary DER or as ASCII PEM.
The only time CRT and CER can safely be interchanged is when the encoding type can be identical. (ie PEM encoded CRT = PEM encoded CER)
Common OpenSSL Certificate Manipulations
There are four basic types of certificate manipulations. View, Transform, Combination , and Extraction
View
Even though PEM encoded certificates are ASCII they are not human readable. Here are some commands that will let you output the contents of a certificate in human readable form;
View PEM encoded certificate
Use the command that has the extension of your certificate replacing cert.xxx with the name of your certificate
openssl x509 -in cert.pem -text -noout
openssl x509 -in cert.cer -text -noout
openssl x509 -in cert.crt -text -noout
If you get the folowing error it means that you are trying to view a DER encoded certifciate and need to use the commands in the “View DER encoded certificate below”
unable to load certificate
12626:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:647:Expecting: TRUSTED CERTIFICATE
View DER encoded Certificate
openssl x509 -in certificate.der -inform der -text -noout
If you get the following error it means that you are trying to view a PEM encoded certificate with a command meant for DER encoded certs. Use a command in the “View PEM encoded certificate above
unable to load certificate
13978:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1306:
13978:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:380:Type=X509
Transform
Transforms can take one type of encoded certificate to another. (ie. PEM To DER conversion)
PEM to DER
openssl x509 -in cert.crt -outform der -out cert.der
DER to PEM
openssl x509 -in cert.crt -inform der -outform pem -out cert.pem
Combination
In some cases it is advantageous to combine multiple pieces of the X.509 infrastructure into a single file. One common example would be to combine both the private key and public key into the same certificate.
The easiest way to combine certs keys and chains is to convert each to a PEM encoded certificate then simple copy the contents of each file into a new file. This is suitable for combining files to use in applications lie Apache.
Extraction
Some certs will come in a combined form. Where one file can contain any one of: Certificate, Private Key, Public Key, Signed Certificate, Certificate Authority (CA), and/or Authority Chain.
Root CA Bundle and Hashed Certificates
Certificates can be stored in their own file or together in a single file called a bundle.
How do I make my own bundle file from CRT files?
Answer: You may do this using you favorite text editor or by using the command line.
Example:
# Root CA Certificate - AddTrustExternalCARoot.crt
# Intermediate CA Certificate 1 - ComodoRSAAddTrustCA.crt OR ComodoECCAddTrustCA.crt
# Intermediate CA Certificate 2 - ComodoRSADomain/Organization/ExtendedvalidationSecureServerCA.crt OR ComodoRSAECCDomain/Organization/ExtendedvalidationSecureServerCA.crt
# Intermediate CA Certificate 3 - ComodoSHA256SecureServerCA.crt
# Your SSL Certificate - yourDomain.crt
Note: You will not need your SSL certificate for this exercise.
GUI Text Editor
1. Open All files in a text editor. (Remember, not your domain certificate.)
2. Create a new blank text file.
3. Copy contents of all files in reverse order and paste them into the new file.
Example: Intermediate 3, Intermediate 2, Intermediate 1, Root Certificate.
4. Save newly created file as 'yourDomain.ca-bundle'.
Command Line
Linux or UNIX-like Operating Systems:
cat ComodoRSAAddTrustCA.crt ComodoRSADomain/Organization/ExtendedvalidationSecureServerCA.crt AddTrustExternalCARoot.crt > yourDomain.ca-bundle
Or
cat ComodoSHA256SecureServerCA.crt AddTrustExternalCARoot.crt > yourDomain.ca-bundle
Windows or DOS:
copy ComodoRSAAddTrustCA.crt + ComodoRSADomain/Organization/ExtendedvalidationSecureServerCA.crt + AddTrustExternalCARoot.crt yourDomain.ca-bundle
Or
copy ComodoSHA256SecureServerCA.crt + AddTrustExternalCARoot.crt yourDomain.ca-bundle
Note: yourDomain.ca-bundle is only a place holder file name. You may call it anything you want.
Q&A
Q- What is a trusted store?
A- It is a list of CA certificates that you trust. All web browsers come with a list of trusted CAs.
Q- Can I add my own CA to my browser trusted store?
A- Yes on Windows if you right click on the certificate you should see an install option
Q- What is a self signed certificate?
A- A self signed certificate is a certificate signed by the same entity that the certificate verifies.
It is like you approving your own passport application. see wiki
Q What is a certificate fingerprint?
A- It is a hash of the actual certificate, and can be used to verify the certificate
without the need to have the CA certificate installed.
This is very useful in small devices that don’t have a lot of memory to store CA files.
It is also used when manually verifying a certificate.
Q- What happens if a server certificate gets stolen?
A- It can be revoked. There are a number of ways that a client(browser)
can check if a certificate is revoked see here
http://www.gtopia.org/blog/2010/02/der-vs-crt-vs-cer-vs-pem-certificates/
http://www.steves-internet-guide.com/ssl-certificates-explained/
https://support.comodo.com/index.php?/Knowledgebase/Article/View/1145/1/how-do-i-make-my-own-bundle-file-from-crt-files
