Certificates and Encodings
At its core an X.509 certificate is a digital document that has been encoded and/or digitally signed according to RFC 5280.
In fact, the term X.509 certificate usually refers to the IETF’s PKIX Certificate and CRL Profile of the X.509 v3 certificate standard, as specified in RFC 5280, commonly referred to as PKIX for Public Key Infrastructure (X.509).
X509 File Extensions
The first thing we have to understand is what each type of file extension is. There is a lot of confusion about what DER, PEM, CRT, and CER are and many have incorrectly said that they are all interchangeable. While in certain cases some can be interchanged the best practice is to identify how your certificate is encoded and then label it correctly. Correctly labeled certificates will be much easier to manipulat
Encodings (also used as extensions)
- .DER = The DER extension is used for binary DER encoded certificates. These files may also bear the CER or the CRT extension. Proper English usage would be “I have a DER encoded certificate” not “I have a DER certificate”.
- .PEM = The PEM extension is used for different types of X.509v3 files which contain ASCII (Base64) armored data prefixed with a “—– BEGIN …” line.
Common Extensions
- .CRT = The CRT extension is used for certificates. The certificates may be encoded as binary DER or as ASCII PEM. The CER and CRT extensions are nearly synonymous. Most common among *nix systems
- CER = alternate form of .crt (Microsoft Convention) You can use MS to convert .crt to .cer (.both DER encoded .cer, or base64[PEM] encoded .cer) The .cer file extension is also recognized by IE as a command to run a MS cryptoAPI command (specifically rundll32.exe cryptext.dll,CryptExtOpenCER) which displays a dialogue for importing and/or viewing certificate contents.
- .KEY = The KEY extension is used both for public and private PKCS#8 keys. The keys may be encoded as binary DER or as ASCII PEM.
The only time CRT and CER can safely be interchanged is when the encoding type can be identical. (ie PEM encoded CRT = PEM encoded CER)
Common OpenSSL Certificate Manipulations
There are four basic types of certificate manipulations. View, Transform, Combination , and Extraction
View
Even though PEM encoded certificates are ASCII they are not human readable. Here are some commands that will let you output the contents of a certificate in human readable form;
View PEM encoded certificate
Use the command that has the extension of your certificate replacing cert.xxx with the name of your certificate
openssl x509 -in cert.pem -text -noout openssl x509 -in cert.cer -text -noout openssl x509 -in cert.crt -text -noout
If you get the folowing error it means that you are trying to view a DER encoded certifciate and need to use the commands in the “View DER encoded certificate below”
unable to load certificate 12626:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:647:Expecting: TRUSTED CERTIFICATE
View DER encoded Certificate
openssl x509 -in certificate.der -inform der -text -noout
If you get the following error it means that you are trying to view a PEM encoded certificate with a command meant for DER encoded certs. Use a command in the “View PEM encoded certificate above
unable to load certificate 13978:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1306: 13978:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:380:Type=X509
Transform
Transforms can take one type of encoded certificate to another. (ie. PEM To DER conversion)
PEM to DER
openssl x509 -in cert.crt -outform der -out cert.der
DER to PEM
openssl x509 -in cert.crt -inform der -outform pem -out cert.pem
Combination
In some cases it is advantageous to combine multiple pieces of the X.509 infrastructure into a single file. One common example would be to combine both the private key and public key into the same certificate.
The easiest way to combine certs keys and chains is to convert each to a PEM encoded certificate then simple copy the contents of each file into a new file. This is suitable for combining files to use in applications lie Apache.
Extraction
Some certs will come in a combined form. Where one file can contain any one of: Certificate, Private Key, Public Key, Signed Certificate, Certificate Authority (CA), and/or Authority Chain.
Original - http://www.gtopia.org/blog/2010/02/der-vs-crt-vs-cer-vs-pem-certificates/
證書與編碼
本質上,X.509證書是一個數字文檔,這個文檔根據RFC 5280來編碼並/或簽發。
實際上,“X.509證書”經常被用來指代IETF的PKIX(Public Key Infrastructure)證書和X.509 v3 證書標准中的CRL(Certificate Revocation List)。
X509 文件擴展名
首先我們要理解文件的擴展名代表什么。DER、PEM、CRT和CER這些擴展名經常令人困惑。很多人錯誤地認為這些擴展名可以互相代替。盡管的確有時候有些擴展名是可以互換的,但是最好你能確定證書是如何編碼的,進而正確地標識它們。正確地標識證書有助於證書的管理。
編碼 (也用於擴展名)
- .DER = 擴展名DER用於二進制DER編碼的證書。這些證書也可以用CER或者CRT作為擴展名。比較合適的說法是“我有一個DER編碼的證書”,而不是“我有一個DER證書”。
- .PEM = 擴展名PEM用於ASCII(Base64)編碼的各種X.509 v3 證書。文件開始由一行"—– BEGIN …“開始。
常用的擴展名
- .CRT = 擴展名CRT用於證書。證書可以是DER編碼,也可以是PEM編碼。擴展名CER和CRT幾乎是同義詞。這種情況在各種unix/linux系統中很常見。
- CER = CRT證書的微軟型式。可以用微軟的工具把CRT文件轉換為CER文件(CRT和CER必須是相同編碼的,DER或者PEM)。擴展名為CER的文件可以被IE識別並作為命令調用微軟的cryptoAPI(具體點就是rudll32.exe cryptext.dll, CyrptExtOpenCER),進而彈出一個對話框來導入並/或查看證書內容。
- .KEY = 擴展名KEY用於PCSK#8的公鑰和私鑰。這些公鑰和私鑰可以是DER編碼或者PEM編碼。
CRT文件和CER文件只有在使用相同編碼的時候才可以安全地相互替代。