2011/09/16

Basic Key/Certificates Manipulation by OpenSSL

Getting Server's SSL/TLS Certificate Chain


openssl s_client -connect some_hostname:443 -showcerts
X.509 certificates are dumped as base64-encoded strings between -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- headers. They should be (together with the headers) stored in files with .pem suffix.

We can look at the certificate information then:
openssl x509 -in cert.pem -inform PEM -noout -text

    Conversion of Key and Certificate Formats

    Keys

    • PKCS1 – PEM to DER
      openssl rsa -in key.pem -out key.der -inform pem -outform der 

      The key format is reflected in the header (of the key.pem):
      • PKCS#1 - BEGIN RSA PRIVATE KEY, BEGIN RSA PUBLIC KEY
      • PKCS#8 - BEGIN PRIVATE KEY, BEGIN ENCRYPTED PRIVATE KEY

    Certificates

    • PEM to P12
      openssl pkcs12 -export -out cert.p12 -in cert.pem -inkey key.pem
    • PEM to DER
      openssl x509 -in cert.pem -inform PEM -out cert.der -outform DER

    No comments:

    Post a Comment