如何轉(zhuǎn)換證書(shū)的編碼格式?

原文入口(以下內(nèi)容是從其中截取出的關(guān)鍵部分,之后可能會(huì)翻譯成中文)
Instructions on how to convert digital certificates from one file format to another

Once we unravel everything it will feel a lot less overwhelming. So if you’re if ready to learn how to convert a certificate to the correct format…

Let’s hash it out.

Why would I need know how to convert a certificate to the correct format?

Before we talk about how to convert a certificate to the correct format, let’s start with what that even means. There are dozens of different server-types that are in regular use and unfortunately there is no uniform standard for file type. If this annoys you and you’re American, now you know how the rest of the world feels when it has to convert its metric units to US customary units because we thought it would be far more sporting not to count in units of ten.

At any rate, this diversity of server types has led to the use of multiple different file formats for digital certificates. Now, aren’t they all X.509 certificates? – you’re probably asking. Well, yes. And if you wanted us to, we could write an entire article on this topic that discusses Abstract Syntax Notation and byte arrays but I have a feeling that’s going to be a lot more information than you came for. So here’s the abridged version: An X.509 certificate is a type of digital certificate that uses the PKI standard (X.509 v3) to validate that a server is the rightful owner of the associated public key. When you see extensions like:

.der .pem .crt .cer .pkcs7 .p7b .pkcs8 .pkcs12 .pfx .p12

Those refer to how the certificate is encoded and presented. For lack of a more eloquent definition, encoding is basically just coding of data into a format that can be used by another system. Or put more simply, it’s coding data so it can be read and used by a computer. One of the most common encoding standards (that you will need to remember in a couple of paragraphs) is ASCII or the American Standard Code for Information Interchange (a far more ubiquitous standard than our measurement system), which is an encoding scheme used for files that contain text.

Now let’s talk a little bit about encoding styles.

.der – Stands for Distinguished Encoding Rules, a binary encoding format. Windows views these as certificate files and actually exports certificates as .der formatted files but with an extension like .crt or .cer.
.pem – Stands for Privacy Enhanced Mail, which is amusing considering that PEM basically failed at the function it was designed for, but proved useful as a container format. PEM files are just Base64 encoded DER files.

A DER file is an X.509 digital certificate encoded in binary – 1’s and 0’s. Base64 is a binary-to-text encoding scheme, so a PEM file, which is a Base64 encoded DER file, is that same X.509 certificate, but encoded in text, which (remember!) is represented as ASCII.
DER files are rarely used outside of Windows, so we’ll stop with them. But, remember how we said the PEM is a container? That’s because it can contain anything from just the digital certificate itself, to the entire certificate chain and the keypair. Unfortunately, not all browsers will recognize files with the .pem extension as certificates, so a lot of times you’ll see a different extension affixed to the end of the a PEM file (and also DER files):

.cert .crt .cer

So when talking about how to convert a certificate to the correct format, you could be talking about how it’s encoded or how it’s presented. Now, there are a few other ways to present a certificate beyond PEM and DER. PKCS or Public Key Cryptography Standards, generally you see PKCS 7, PKCS8 and PKCS12. Let’s start with PKCS7, which was originally defined by the company RSA before being turned over to IETF. It is a multi-purpose format for encrypted and signed data to be disseminated. It eventually evolved into Cryptographic Message Syntax, CMS, but just like with SSL and TLS, PKCS7 is the colloquial name we all still use. It’s an open standard, it’s supported by Windows. One thing to note though is that it cannot contain a private key. PKCS7 gets used a lot of with email certificates and forms the basis for S/MIME secure email.

PKCS8 is a similar standard used for carrying private keys. And finally, we have PKCS12, which provides better security via encryption. Much like a PEM file it can contain anything from the single certificate to the entire certificate chain and key pair, but unlike PEM it’s a fully encrypted password-guarded container. If, during the generation of an SSL certificate you’re prompted for a password, it can be used to open the certificate if it’s in the PKCS12 format.

Wouldn’t it be easier to do this if I just used a tool?

Absolutely. It would also be a lot riskier. While generally, we’d like to think you could trust all of the websites that host this kind of tool, uploading your digital certificate anywhere but your own server is generally ill-advised. And by that I mean, don’t use an online tool to convert your digital certificates to different file formats. Do it on your server using OpenSSL commands.
Which leads us to the next inevitable question…

What is OpenSSL?

OpenSSL is a software library. A computer doesn’t innately know how to do anything. You have to teach it. A software library is a collection of code, scripts, configurations and procedures that helps facilitate a given function. For instance, if you’re writing a piece of software that’s going to require a lot of mathematical calculations it only makes sense to add a mathematical software library so that you don’t have to write a whole bunch of complex mathematical functions yourself.

Now apply that concept to SSL. OpenSSL is a software library that enables the SSL/TLS protocol on pretty much every server under the sun. Yes, it’s that ubiquitous. So, while there may not be a universal file format for X.509 certificates, there is at least a universal language for manipulating them on servers. OpenSSL is written in the C programming language, which makes it extremely accessible to anyone with even a rudimentary knowledge of programming.
So, now let’s go over how to convert a certificate to the correct format.

How to convert a certificate to the correct format

Converting X.509 to PEM – This is a decision on how you want to encode the certificate (don’t pick DER unless you have a specific reason to).

openssl x509 -in certificatename.cer -outform PEM -out certificatename.pem

Converting DER to PEM – Binary encoding to ASCII

openssl x509 -inform der -in certificatename.der -out certificatename.pem

Converting PEM to DER – ASCII to Binary

openssl x509 -outform der -in certificatename.pem -out certificatename.der

Converting PEM to PKCS7 – PKCS7 files can only contain certificates and certificate chains, never private keys.

openssl crl2pkcs7 -nocrl -certfile certificatename.pem -out certificatename.p7b -certfile CACert.cer

Converting PKCS7 to PEM – Remember, this file will not include the keypair.

openssl pkcs7 -print_certs -in certificatename.p7b -out certificatename.pem

Converting PKCS12 to PEM – Also called PFX, PKCS12 containers can include certificate, certificate chain and private key. They are password protected and encrypted.

openssl pkcs12 -in certificatename.pfx -out certificatename.pem

Converting PKCS12 to PKCS8 – PKCS8 is similar to PKCS7, only it’s intended for private key storage and can be encrypted with a password.

This takes two steps:
openssl pkcs12 -in certificatename.pfx -nocerts -nodes -out certificatename.pem
openSSL pkcs8 -in certificatename.pem -topk8 -nocrypt -out certificatename.pk8

Converting PKCS7 to PKCS12 – This requires two steps as you’ll need to combine the private key with the certificate file.

openssl pkcs7 -print_certs -in certificatename.p7b -out certificatename.cer
openssl pkcs12 -export -in certificatename.cer -inkey privateKey.key -out certificatename.pfx -certfile  cacert.cer
?著作權(quán)歸作者所有,轉(zhuǎn)載或內(nèi)容合作請(qǐng)聯(lián)系作者
  • 序言:七十年代末弃锐,一起剝皮案震驚了整個(gè)濱河市懦铺,隨后出現(xiàn)的幾起案子,更是在濱河造成了極大的恐慌贯要,老刑警劉巖暖侨,帶你破解...
    沈念sama閱讀 218,451評(píng)論 6 506
  • 序言:濱河連續(xù)發(fā)生了三起死亡事件,死亡現(xiàn)場(chǎng)離奇詭異崇渗,居然都是意外死亡字逗,警方通過(guò)查閱死者的電腦和手機(jī),發(fā)現(xiàn)死者居然都...
    沈念sama閱讀 93,172評(píng)論 3 394
  • 文/潘曉璐 我一進(jìn)店門(mén)宅广,熙熙樓的掌柜王于貴愁眉苦臉地迎上來(lái)葫掉,“玉大人,你說(shuō)我怎么就攤上這事跟狱〖蠛瘢” “怎么了?”我有些...
    開(kāi)封第一講書(shū)人閱讀 164,782評(píng)論 0 354
  • 文/不壞的土叔 我叫張陵兽肤,是天一觀的道長(zhǎng)套腹。 經(jīng)常有香客問(wèn)我,道長(zhǎng)资铡,這世上最難降的妖魔是什么电禀? 我笑而不...
    開(kāi)封第一講書(shū)人閱讀 58,709評(píng)論 1 294
  • 正文 為了忘掉前任,我火速辦了婚禮笤休,結(jié)果婚禮上尖飞,老公的妹妹穿的比我還像新娘。我一直安慰自己店雅,他們只是感情好政基,可當(dāng)我...
    茶點(diǎn)故事閱讀 67,733評(píng)論 6 392
  • 文/花漫 我一把揭開(kāi)白布。 她就那樣靜靜地躺著闹啦,像睡著了一般沮明。 火紅的嫁衣襯著肌膚如雪。 梳的紋絲不亂的頭發(fā)上窍奋,一...
    開(kāi)封第一講書(shū)人閱讀 51,578評(píng)論 1 305
  • 那天荐健,我揣著相機(jī)與錄音酱畅,去河邊找鬼。 笑死江场,一個(gè)胖子當(dāng)著我的面吹牛纺酸,可吹牛的內(nèi)容都是我干的。 我是一名探鬼主播址否,決...
    沈念sama閱讀 40,320評(píng)論 3 418
  • 文/蒼蘭香墨 我猛地睜開(kāi)眼餐蔬,長(zhǎng)吁一口氣:“原來(lái)是場(chǎng)噩夢(mèng)啊……” “哼!你這毒婦竟也來(lái)了佑附?” 一聲冷哼從身側(cè)響起樊诺,我...
    開(kāi)封第一講書(shū)人閱讀 39,241評(píng)論 0 276
  • 序言:老撾萬(wàn)榮一對(duì)情侶失蹤,失蹤者是張志新(化名)和其女友劉穎帮匾,沒(méi)想到半個(gè)月后啄骇,有當(dāng)?shù)厝嗽跇?shù)林里發(fā)現(xiàn)了一具尸體,經(jīng)...
    沈念sama閱讀 45,686評(píng)論 1 314
  • 正文 獨(dú)居荒郊野嶺守林人離奇死亡瘟斜,尸身上長(zhǎng)有42處帶血的膿包…… 初始之章·張勛 以下內(nèi)容為張勛視角 年9月15日...
    茶點(diǎn)故事閱讀 37,878評(píng)論 3 336
  • 正文 我和宋清朗相戀三年缸夹,在試婚紗的時(shí)候發(fā)現(xiàn)自己被綠了。 大學(xué)時(shí)的朋友給我發(fā)了我未婚夫和他白月光在一起吃飯的照片螺句。...
    茶點(diǎn)故事閱讀 39,992評(píng)論 1 348
  • 序言:一個(gè)原本活蹦亂跳的男人離奇死亡虽惭,死狀恐怖,靈堂內(nèi)的尸體忽然破棺而出蛇尚,到底是詐尸還是另有隱情芽唇,我是刑警寧澤,帶...
    沈念sama閱讀 35,715評(píng)論 5 346
  • 正文 年R本政府宣布取劫,位于F島的核電站匆笤,受9級(jí)特大地震影響,放射性物質(zhì)發(fā)生泄漏谱邪。R本人自食惡果不足惜炮捧,卻給世界環(huán)境...
    茶點(diǎn)故事閱讀 41,336評(píng)論 3 330
  • 文/蒙蒙 一、第九天 我趴在偏房一處隱蔽的房頂上張望惦银。 院中可真熱鬧咆课,春花似錦、人聲如沸扯俱。這莊子的主人今日做“春日...
    開(kāi)封第一講書(shū)人閱讀 31,912評(píng)論 0 22
  • 文/蒼蘭香墨 我抬頭看了看天上的太陽(yáng)迅栅。三九已至殊校,卻和暖如春,著一層夾襖步出監(jiān)牢的瞬間读存,已是汗流浹背箩艺。 一陣腳步聲響...
    開(kāi)封第一講書(shū)人閱讀 33,040評(píng)論 1 270
  • 我被黑心中介騙來(lái)泰國(guó)打工窜醉, 沒(méi)想到剛下飛機(jī)就差點(diǎn)兒被人妖公主榨干…… 1. 我叫王不留,地道東北人艺谆。 一個(gè)月前我還...
    沈念sama閱讀 48,173評(píng)論 3 370
  • 正文 我出身青樓,卻偏偏與公主長(zhǎng)得像拜英,于是被迫代替她去往敵國(guó)和親静汤。 傳聞我的和親對(duì)象是個(gè)殘疾皇子,可洞房花燭夜當(dāng)晚...
    茶點(diǎn)故事閱讀 44,947評(píng)論 2 355

推薦閱讀更多精彩內(nèi)容