PEM vs CERT vs CER
A .pem format certificate will most likely be ASCII-readable. It will have a line -----BEGIN CERTIFICATE-----, followed by base64-encoded data, followed by a line -----END CERTIFICATE-----. There may be other lines before or after.
Even though PEM encoded certificates are ASCII they are not human readable. Here are some commands that will let you output the contents of a certificate in human readable form;
How to View PEM encoded certificate
----------------------------
Use the command that has the extension of your certificate replacing
cert.xxx with the name of your certificate
openssl x509 -in cert.pem -text -noout
openssl x509 -in cert.cer -text -noout
openssl x509 -in cert.crt -text -noout
If you get the folowing error it means that you are trying to view a DER encoded certifciate and need to use the commands in the “View DER encoded certificate
below”
unable to load certificate
12626:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:647:Expecting: TRUSTED CERTIFICATE View DER encoded Certificate
How to View DER encoded Certificate
----------------------------
openssl x509 -in certificate.der -inform der -text -noout
If you get the following error it means that you are trying to view a PEM encoded certificate with a command meant for DER encoded certs. Use a command in the “View PEM encoded certificate above
unable to load certificate
13978:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1306:
13978:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:380:Type=X509
---------------------------------------------------------------------------
How to use openssl command to generate a ocsp request?
openssl can be used to send a ocsp request to a remote OCSP Responder server and test the response. [you can download openssl Binaries instead of a full installation on windows as well.]
When chaining certificates, for example when creating a chain of Root and Intermediary certificate, export the certificate in Base 64 format and add/append certificates in one text file, name it yourchain.crt file
C:\Users\user1\Downloads\openssl_dir\openssl-0.9.8h-1-bin\bin>openssl ocsp -issuer yourchain.cer -cert certificate.cer -text -url http://ocsp.managed.yourCAhere.com/OCSP/EMSSSPCAResponder > outputfile.txt
So there are 2 cer files, one is your certificate and yourchain.cer which is your chained certificates. The URL is of the CA hosting the OCSP Responder server. This server will provide you an answer to the request from your client query (openssl command here) to the remote OCSP server, i.e. the Respoinder server which will validate the ocsp request for a given certificate. Any errors will be thrown or written to the command line output, for example if the ocsp server is unreachable.
The outputfile.txt captures the response received from the remote responder server.
----------------------------------------------------------------------------
The chained certificate will look like below when opened via a text editor. You can see there are two certificates here in Base 64 format.
-----BEGIN CERTIFICATE-----
fjdlkajfalkdsjfdkslajfdkasljflkadsj etc
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
adsfjladsjfkladsjfkladsjfklasjfdaks etc
-----END CERTIFICATE-----
----------------------------------------------------------------------------
Note the various formats of Certificates that you may create, e.g p7b, p12.
p12 format or pfx format contains the complete certificate along with the private key. With openssl tool you can create both formats. However, if you are using Windows MMC tool to create Certificate, note that you will need to use the same host/desktop to create the Certificate with the key, where you originally created the CSR
Difference between p7b and p12 formats
Even though PEM encoded certificates are ASCII they are not human readable. Here are some commands that will let you output the contents of a certificate in human readable form;
How to View PEM encoded certificate
----------------------------
Use the command that has the extension of your certificate replacing
cert.xxx with the name of your certificate
openssl x509 -in cert.pem -text -noout
openssl x509 -in cert.cer -text -noout
openssl x509 -in cert.crt -text -noout
If you get the folowing error it means that you are trying to view a DER encoded certifciate and need to use the commands in the “View DER encoded certificate
below”
unable to load certificate
12626:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:647:Expecting: TRUSTED CERTIFICATE View DER encoded Certificate
How to View DER encoded Certificate
----------------------------
openssl x509 -in certificate.der -inform der -text -noout
If you get the following error it means that you are trying to view a PEM encoded certificate with a command meant for DER encoded certs. Use a command in the “View PEM encoded certificate above
unable to load certificate
13978:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1306:
13978:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:380:Type=X509
---------------------------------------------------------------------------
How to use openssl command to generate a ocsp request?
openssl can be used to send a ocsp request to a remote OCSP Responder server and test the response. [you can download openssl Binaries instead of a full installation on windows as well.]
When chaining certificates, for example when creating a chain of Root and Intermediary certificate, export the certificate in Base 64 format and add/append certificates in one text file, name it yourchain.crt file
C:\Users\user1\Downloads\openssl_dir\openssl-0.9.8h-1-bin\bin>openssl ocsp -issuer yourchain.cer -cert certificate.cer -text -url http://ocsp.managed.yourCAhere.com/OCSP/EMSSSPCAResponder > outputfile.txt
So there are 2 cer files, one is your certificate and yourchain.cer which is your chained certificates. The URL is of the CA hosting the OCSP Responder server. This server will provide you an answer to the request from your client query (openssl command here) to the remote OCSP server, i.e. the Respoinder server which will validate the ocsp request for a given certificate. Any errors will be thrown or written to the command line output, for example if the ocsp server is unreachable.
The outputfile.txt captures the response received from the remote responder server.
----------------------------------------------------------------------------
The chained certificate will look like below when opened via a text editor. You can see there are two certificates here in Base 64 format.
-----BEGIN CERTIFICATE-----
fjdlkajfalkdsjfdkslajfdkasljflkadsj etc
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
adsfjladsjfkladsjfkladsjfklasjfdaks etc
-----END CERTIFICATE-----
----------------------------------------------------------------------------
Note the various formats of Certificates that you may create, e.g p7b, p12.
p12 format or pfx format contains the complete certificate along with the private key. With openssl tool you can create both formats. However, if you are using Windows MMC tool to create Certificate, note that you will need to use the same host/desktop to create the Certificate with the key, where you originally created the CSR
Difference between p7b and p12 formats
Comments
Post a Comment