Can contain all of private keys (RSA and DSA), public keys (RSA and DSA) and (x509) certificates. It is the default format for OpenSSL. It stores data Base64 encoded DER format, surrounded by ascii headers, so is suitable for text mode transfers between systems.
Can contain all of private keys, public keys and certificates. It stored according to the ASN1 DER format. It is headerless - PEM is text header wrapped DER. It is the default format for most browsers.
Also known as PFX files. Can contain all of private keys, public keys
and certificates. It stores in a binary format.
See
here
for more information on the format, and its support in OpenSSL
Converting certificate formats is usually very straightforward with the OpenSSL tools. Check out the OpenSSL documentation for the specifics, but here is a whistle-stop guide.
openssl pkcs12 -export -in pem-certificate-and-key-file -out
pkcs-12-certificate-and-key-file
openssl pkcs12 -export -in pem-certificate-file -inkey
pem-key-file -out pkcs-12-certificate-and-key-file
openssl pkcs12 -export -in pem-certificate-file -nokeys -nodes
-out pkcs-12-certificate-file
openssl pkcs12 -in pkcs-12-certificate-file -out
pem-certificate-file
openssl pkcs12 -in pkcs-12-certificate-and-key-file -out
pem-certificate-and-key-file
openssl dsa -inform PEM|DER -outform DER|PEM -in pem-file|der-file -out der-file|pem-file
openssl rsa -inform PEM|DER -outform DER|PEM -in pem-file|der-file -out der-file|pem-file
In almost all cases, OpenSSL will assume that there's only one certificate in a given file. As such, it will generally only use the first certificate that it finds, and will ignore all others.
Normally, you will only have one certificate in a file, so that'll be OK. However, you may ocassionally come across files with several certificates in them. Unless you're going to be using this file as a CA bundle (where you list all the CA certificates you trust in one single file), you'll probably need to split your file into one per certificate.
First up, you'll want to check how many certificates a file holds. The simplest way to do that is with:
If you get a number that's greater than 1, then you have multiple certificates in the file. Your best bet is to split the files after the "--END ... CERTIFICATE--" line (you may or may not have anything for "....")
One way to split it is using this perl program, which will handle finding the file ends for you, and prompt you for files to save certificates into.
Note that the format of a X509 PEM certificate is:
This will use the s_client function of OpenSSL
You will need to connect to a SSL service on a server which has a certificate signed by the required CA.
This will use the s_client function of OpenSSL
You will obviously need to connect to a SSL service on the server to get its certificate.
Note that the s_client function doesn't check the default OpenSSL CA certificate store, so you would see verification errors with the above. You can get around this by passing it the argumnet -CApath <ssl-base-dir>certs/ (see here for a guide to <ssl-base-dir>).
For those of you using KDE, Konqueror also gives you an easy way to get at the server certificates. Go to "Settings->Configure Konqueror->Crypto", then select the cert, and then save.
If you don't wish to run your own Certificate Authority, but do wish to have certificates, there are serveral options. You could, of course, go to a commercial CA, and pay for email and server certificates as you need them.
Assuming you don't wish to pay for the certificates, you have two choices. Both are based on the Web Of Trust model - to be issued with certificates, you will have to get existing people in the web to certify your identity. Only once known to the web (by being notaried), will you get a certificate.
Choice number one for this is the Thawte Web Of Trust. Once in the web, you will be able to get a personal certificate suitable for use with email. The Thawte CA certificate is installed by default in most SSL and TLS enabled devices.
Choice number two is CA Cert. It is possible to get both personal certificates and server certificates, using similar notarisation methods to Thawte. Also, CA Cert is run by a not-for-profit group (Thate is owned by Verisign), who are keen to help. The disadvantage is that their CA certificate is installed in a much smaller range of software by default. (Their certificate may be easily installed, as other parts of this guide show).
This work is licensed under a
Creative
Commons License.