How to Convert an Ssl Certificate in Linux

How to convert an SSL certificate in linux

Converting certificates between cer/pem/crt/der/pfx/p12 can be done in Linux with the use of OpenSSL tool via the terminal.

These commands allow you to convert certificates and keys to different formats to make them compatible with specific types of servers or software.

Convert a DER file (.crt .cer .der) to PEM

openssl x509 -inform der -in certificate.cer -out certificate.pem

Convert a PEM file to DER

openssl x509 -outform der -in certificate.pem -out certificate.der

Convert a PKCS#12 file (.pfx .p12) containing a private key and certificates to PEM

openssl pkcs12 -in keyStore.pfx -out keyStore.pem -nodes

You can add -nocerts to only output the private key or add -nokeys to only output the certificates.

Convert a PEM certificate file and a private key to PKCS#12 (.pfx .p12)

openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt

For more information see:

http://www.sslshopper.com/article-most-common-openssl-commands.html

https://support.ssl.com/index.php?/Knowledgebase/Article/View/19

Do I need to convert .CER to .CRT for Apache SSL certificates? If so, how?

File extensions for cryptographic certificates aren't really as standardized as you'd expect. Windows by default treats double-clicking a .crt file as a request to import the certificate into the Windows Root Certificate store, but treats a .cer file as a request just to view the certificate. So, they're different in the sense that Windows has some inherent different meaning for what happens when you double click each type of file.

But the way that Windows handles them when you double-click them is about the only difference between the two. Both extensions just represent that it contains a public certificate. You can rename a certificate file to use one extension in place of the other in any system or configuration file that I've seen. And on non-Windows platforms (and even on Windows), people aren't particularly careful about which extension they use, and treat them both interchangeably, as there's no difference between them as long as the contents of the file are correct.

Making things more confusing is that there are two standard ways of storing certificate data in a file: One is a "binary" X.509 encoding, and the other is a "text" base64 encoding that usually starts with "-----BEGIN CERTIFICATE-----". These encode the same data but in different ways. Most systems accept both formats, but, if you need to, you can convert one to the other via openssl or other tools. The encoding within a certificate file is really independent of which extension somebody gave the file.

Convert .pem to .crt and .key

I was able to convert pem to crt using this:

openssl x509 -outform der -in your-cert.pem -out your-cert.crt

How to get .pem file from .key and .crt files?

Your keys may already be in PEM format, but just named with .crt or .key.

If the file's content begins with -----BEGIN and you can read it in a text editor:

The file uses base64, which is readable in ASCII, not binary format. The certificate is already in PEM format. Just change the extension to .pem.

If the file is in binary:

For the server.crt, you would use

openssl x509 -inform DER -outform PEM -in server.crt -out server.crt.pem

For server.key, use openssl rsa in place of openssl x509.

The server.key is likely your private key, and the .crt file is the returned, signed, x509 certificate.

If this is for a Web server and you cannot specify loading a separate private and public key:

You may need to concatenate the two files. For this use:

cat server.crt server.key > server.includesprivatekey.pem

I would recommend naming files with "includesprivatekey" to help you manage the permissions you keep with this file.

How to generate a self-signed SSL certificate using OpenSSL?

You can do that in one command:

openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -sha256 -days 365

You can also add -nodes (short for "no DES") if you don't want to protect your private key with a passphrase. Otherwise it will prompt you for "at least a 4 character" password.

The days parameter (365) you can replace with any number to affect the expiration date. It will then prompt you for things like "Country Name", but you can just hit Enter and accept the defaults.

Add -subj '/CN=localhost' to suppress questions about the contents of the certificate (replace localhost with your desired domain).

Self-signed certificates are not validated with any third party unless you import them to the browsers previously. If you need more security, you should use a certificate signed by a certificate authority (CA).

How to convert a long date to short date from SSL certificates | Unix KSH

The openssl command will make the NotBeforeDate variable to have the value (at least in the bash version I'm using):

notBefore=Oct 31 00:00:00 2013 GMT

So, first we need to remove the notBefore= part:

dateStr=${NotBeforeDate/notBefore=/}

Then you can use the date command:

date --date="$dateStr" --utc +"%m-%d-%Y"

The --date option tells the command to use the dateStr value, --utc tells that the date is in UTC (as specified by GMT part) and +"%m-%d-%Y" formats the date to the desired format.

The output is:

10-31-2013

---

PS: the options can vary according to your Linux version.

You can check all the available ones with date --help or man date.

For example, the long options --date and --utc might not be available, but the equivalent short versions might be (just an example, I'm not sure if date command has such variations between different unix versions):

date -d "$dateStr" -u +"%m-%d-%Y"

Unfortunately I don't have the exact same environment you're using (ksh in unix), but that should work.

---

The -d options seems to be GNU specific, so if it's not available, you'll have to manually parse the string. Assuming that dateStr has the value Oct 31 00:00:00 2013 GMT, you can run:

printf '%s\n' "$dateStr" | awk '{ printf "%02d-%02d-%04d\n", (index("JanFebMarAprMayJunJulAugSepOctNovDec",$1)+2)/3, $2, $4}'

The output is:

10-31-2013

How can I convert a PFX certificate file for use with Apache on a linux server?

With OpenSSL you can convert pfx to Apache compatible format with next commands:

openssl pkcs12 -in domain.pfx -clcerts -nokeys -out domain.cer
openssl pkcs12 -in domain.pfx -nocerts -nodes  -out domain.key   

First command extracts public key to domain.cer.

Second command extracts private key to domain.key.

Update your Apache configuration file with:

<VirtualHost 192.168.0.1:443>
 ...
 SSLEngine on
 SSLCertificateFile /path/to/domain.cer
 SSLCertificateKeyFile /path/to/domain.key
 ...
</VirtualHost>

---

Related Topics