實在很令人混亂的東西,有時後叫 pem,有時後叫 crt,也有 cert 等等,結論就是我把 crt / key / ca 塞入的就叫 pem。
其實 crt 與 cert 都是 certificate 的縮寫,平常我會把它檔名叫 server.crt,
而 .cer 與 .pfx 與 .p7b 都是 windows 可讀的格式,且 .cer 有分 der 編碼過後的 與 base64 編碼過後的,
der 是二進制格式 (內容是亂碼),base64 就是 plain text (擺明就跟 crt 一樣嘛),
.pfx 與 .p7b 當然就是二進制格式 (內容是亂碼)。
另外 .pem 也是存 plain text 格式,它是把 .crt 與 .key 包在裡面了。
不管如何,
ssl 憑證公錀 public key 就是 —–BEGIN CERTIFICATE—– 開頭 —–END CERTIFICATE—– 結尾
ssl 憑證私錀 private key 就是 —–BEGIN RSA PRIVATE KEY—– 開頭 —–END RSA PRIVATE KEY—– 結尾
轉檔
crt 轉成 cer (DER 編碼二進制格式) (也可以在 windows 下點它 > 詳細資料 > 複製到檔案)
openssl x509 -in server.crt -out server.cer -outform DER
cer (DER 編碼二進制格式) 轉成 crt
openssl x509 -in server.cer -out server2.crt -inform DER
合併 crt 與 key 為 pfx (pkcs12 或叫 p12) (IIS 用) (含公鑰和私鑰的二進制格式證書) (如果有 ca 也可放,它是中繼憑證)
openssl pkcs12 -export -in server.crt -inkey server.key -out server.pfx -certfile ca.crt -password pass:123456
將 pfx 解開 (內含 crt、key 及 ca),這裡我就把它存成 pem (why ? 就同上面提到的說明)
openssl pkcs12 -in server.pfx -out server.pem -nodes -password pass:123456
將 pfx 解開 (只取 crt 及 ca)
openssl pkcs12 -in server.pfx -nokeys -out server2.crt -nodes -password pass:123456
將 pfx 解開 (只取 key)
openssl pkcs12 -in server.pfx -nocerts -out server2.key -nodes -password pass:123456
crt 轉成 p7b
openssl crl2pkcs7 -nocrl -certfile server.crt -out server.p7b -certfile ca.crt
p7b 轉成 pem
openssl pkcs7 -print_certs -in server.p7b -out server2.pem
jks (為 Java 憑證) (pfx 也可以用於 java)
先將 crt 與 key 合成 pfx
再把 pfx 轉成 jks
keytool -importkeystore -srckeystore server.pfx -destkeystore server.jks -srcstoretype PKCS12 -deststoretype jks -srcstorepass 123456 -deststorepass 123456
jks 轉 pfx
keytool -importkeystore -srckeystore server.jks -destkeystore server2.pfx -srcstoretype jks -deststoretype PKCS12 -srcstorepass 123456 -deststorepass 123456
驗證
https://www.thesslstore.com/ssltools/match-ssl-elements.php
Certificate Key Matcher
Match your CSR, SSL Certificate and Private Key Pairs
三個的值都會是相同的
openssl pkey -in server.key -pubout -outform pem | sha256sum
openssl x509 -in server.crt -pubkey -noout -outform pem | sha256sum
openssl req -in server.csr -pubkey -noout -outform pem | sha256sum
查看 crt
openssl x509 -in server.crt -text -noout
查看 cer (DER 編碼二進制格式)
openssl x509 -in server.cer -inform DER -text -noout
查看 key (private key)
openssl rsa -in server.key -text -noout
檢查憑證
openssl verify server.crt
查看 csr 內容
openssl req -in server.csr -text -noout
查看 csr 內容並檢查
openssl req -in server.csr -text -verify -noout
檢查 csr 與 private key
openssl req -in server.csr -noout -verify -key server.key
檢查 private key
openssl rsa -noout -text -check -in server.key
檢查 server.pfx
openssl pkcs12 -info -in server.pfx
檢查 server.jks
keytool -v -list -storetype jks -keystore server.jks -storepass 123456
SSL 憑證說明 .P7B (PKCS#7) .PFX/.P12 (PKCS#12) .PEM, .DER, .CRT, .CER
引用 https://knowledge.digicert.com/generalinformation/INFO4448.html
PEM Format
It is the most common format used for certificates
Most servers (Ex: Apache) expects the certificates and private key to be in a separate files
- Usually they are Base64 encoded ASCII files
- Extensions used for PEM certificates are .cer, .crt, .pem, .key files
- Apache and similar server uses PEM format certificates
DER Format
The DER format is the binary form of the certificate
All types of certificates & private keys can be encoded in DER format
DER formatted certificates do not contain the "BEGIN CERTIFICATE/END CERTIFICATE" statements
DER formatted certificates most often use the ‘.cer’ and '.der' extensions
DER is typically used in Java Platforms
P7B/PKCS#7 Format
The PKCS#7 or P7B format is stored in Base64 ASCII format and has a file extension of .p7b or .p7c
A P7B file only contains certificates and chain certificates (Intermediate CAs), not the private key
The most common platforms that support P7B files are Microsoft Windows and Java Tomcat
PFX/P12/PKCS#12 Format
The PKCS#12 or PFX/P12 format is a binary format for storing the server certificate, intermediate certificates, and the private key in one encryptable file
These files usually have extensions such as .pfx and .p12
They are typically used on Windows machines to import and export certificates and private keys |