OpenSSL supports several certificate formats. Certificates are based on the DSA signature algorithm and the RSA algorithm for public-key cryptography according to PKCS algorithms.  The certificate format depends on the application, as there is no agreement on file format standards.

Private keys are usually available in the PEM and DER format. The related files have names of the following type:

*key-rsa.pem for pem files
*key-rsa.der for der files

For OpenSSL applications, the PEM format should suffice. For Java applications, the DER format might be more suitable for importing the private key and certificates.

For certificates, the available formats are PEM, DER and PKCS12 with file names of the following type:

*cert.pem for pem files
*cert.der for der files
*cert.p12 for pkcs12 files

In general, the PEM formats are mostly used in the Unix world, PCKS12 in the Microsoft world and DER in the Java world.

Certificate files are ASN.1-encoded objects that may be encrypted according to DES (Data Encryption Standard). The files can optionally be encrypted using a symmetric cipher algorithm, such as 3DES.

An unencrypted PEM file might look something like this:

    —–BEGIN CERTIFICATE—–
    MB4CGQDUoLoCULb9LsYm5+/WN992xxbiLQlEuIsCAQM=
    —–END CERTIFICATE—–

The string beginning with MB4C… is the Base64-encoded, ASN.1-encoded object.

An encrypted file would have headers describing the type of encryption used, and the initialization vector:

    —–BEGIN RSA PRIVATE KEY—–
    Proc-Type: 4,ENCRYPTED
    DEK-Info: DES-EDE3-CBC,C814158661DC1449
    AFAZFbnQNrGjZJ/ZemdVSoZa3HWujxZuvBHzHNoesxeyqqidFvnydA==
    —–END RSA PRIVATE KEY—–

The two headers Proc-Type and DEK-Info declare the type of encryption, and the string starting with AFAZ… is the Base64-encoded, encrypted, ASN.1-encoded object.

As web browsers make use of Java applications, they import/export certificates in pkcs12 file format, i.e. public and private keys are packed in one single file using the PKCS#12 algorithm. Other applications require the pem format with unpacked public and private keys, thus the user must remember the appropriate file format for each application and must perform format conversions as appropriate.

The following tables report a summary of formats used for INFN-Grid applications and two simple scripts with format conversion commands.

INFN-Grid Certificates Format Summary
Certificate Type     Certificate Format
CA Authority Certificate     DER
Personal Certificate from CA     PKCS12
Grid Access Certificate     PEM

=========================
CONVERT pkcs12 to pem
=========================
#!/bin/sh
echo “copy your cert to cert.p12 – then run this script”
openssl pkcs12 -clcerts -nokeys -in cert.p12 -out usercert.pem
openssl pkcs12 -nocerts -in cert.p12 -out userkey.pem

=========================
CONVERT pem to pkcs12
=========================
#!/bin/sh
echo “Verify that you are using the correct certificate pair (key/cert)”
openssl pkcs12 -export -out one.identity.neteller.com.p12 -inkey ./one.identity.neteller.com.key -in ./one.identity.neteller.com.cert

** NOTE: specify the -in and -inkey parameters as PEM format files…

If your running JRockit, you might also be interested in how to update Verisign CA root certificates.

This might be required if you start seeing errors such as this:
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Tweet This Post