How to convert an SSL certificate in linux
Converting certificates between cer/pem/crt/der/pfx/p12 can be done in Linux with the use of OpenSSL tool via the terminal.
These commands allow you to convert certificates and keys to different formats to make them compatible with specific types of servers or software.
Convert a DER file (.crt .cer .der) to PEM
openssl x509 -inform der -in certificate.cer -out certificate.pem
Convert a PEM file to DER
openssl x509 -outform der -in certificate.pem -out certificate.der
Convert a PKCS#12 file (.pfx .p12) containing a private key and certificates to PEM
openssl pkcs12 -in keyStore.pfx -out keyStore.pem -nodes
You can add -nocerts to only output the private key or add -nokeys to only output the certificates.
Convert a PEM certificate file and a private key to PKCS#12 (.pfx .p12)
openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt
For more information see:
http://www.sslshopper.com/article-most-common-openssl-commands.html
https://support.ssl.com/index.php?/Knowledgebase/Article/View/19
Do I need to convert .CER to .CRT for Apache SSL certificates? If so, how?
File extensions for cryptographic certificates aren't really as standardized as you'd expect. Windows by default treats double-clicking a .crt
file as a request to import the certificate into the Windows Root Certificate store, but treats a .cer
file as a request just to view the certificate. So, they're different in the sense that Windows has some inherent different meaning for what happens when you double click each type of file.
But the way that Windows handles them when you double-click them is about the only difference between the two. Both extensions just represent that it contains a public certificate. You can rename a certificate file to use one extension in place of the other in any system or configuration file that I've seen. And on non-Windows platforms (and even on Windows), people aren't particularly careful about which extension they use, and treat them both interchangeably, as there's no difference between them as long as the contents of the file are correct.
Making things more confusing is that there are two standard ways of storing certificate data in a file: One is a "binary" X.509 encoding, and the other is a "text" base64 encoding that usually starts with "-----BEGIN CERTIFICATE-----
". These encode the same data but in different ways. Most systems accept both formats, but, if you need to, you can convert one to the other via openssl or other tools. The encoding within a certificate file is really independent of which extension somebody gave the file.
Convert .pem to .crt and .key
I was able to convert pem to crt using this:
openssl x509 -outform der -in your-cert.pem -out your-cert.crt
How to get .pem file from .key and .crt files?
Your keys may already be in PEM format, but just named with .crt or .key.
If the file's content begins with -----BEGIN
and you can read it in a text editor:
The file uses base64, which is readable in ASCII, not binary format. The certificate is already in PEM format. Just change the extension to .pem.
If the file is in binary:
For the server.crt, you would use
openssl x509 -inform DER -outform PEM -in server.crt -out server.crt.pem
For server.key, use openssl rsa
in place of openssl x509
.
The server.key is likely your private key, and the .crt file is the returned, signed, x509 certificate.
If this is for a Web server and you cannot specify loading a separate private and public key:
You may need to concatenate the two files. For this use:
cat server.crt server.key > server.includesprivatekey.pem
I would recommend naming files with "includesprivatekey" to help you manage the permissions you keep with this file.
How to generate a self-signed SSL certificate using OpenSSL?
You can do that in one command:
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -sha256 -days 365
You can also add -nodes
(short for "no DES") if you don't want to protect your private key with a passphrase. Otherwise it will prompt you for "at least a 4 character" password.
The days
parameter (365) you can replace with any number to affect the expiration date. It will then prompt you for things like "Country Name", but you can just hit Enter and accept the defaults.
Add -subj '/CN=localhost'
to suppress questions about the contents of the certificate (replace localhost
with your desired domain).
Self-signed certificates are not validated with any third party unless you import them to the browsers previously. If you need more security, you should use a certificate signed by a certificate authority (CA).
How to convert a long date to short date from SSL certificates | Unix KSH
The openssl command will make the NotBeforeDate
variable to have the value (at least in the bash version I'm using):
notBefore=Oct 31 00:00:00 2013 GMT
So, first we need to remove the notBefore=
part:
dateStr=${NotBeforeDate/notBefore=/}
Then you can use the date
command:
date --date="$dateStr" --utc +"%m-%d-%Y"
The --date
option tells the command to use the dateStr
value, --utc
tells that the date is in UTC (as specified by GMT
part) and +"%m-%d-%Y"
formats the date to the desired format.
The output is:
10-31-2013
PS: the options can vary according to your Linux version.
You can check all the available ones with date --help
or man date
.
For example, the long options --date
and --utc
might not be available, but the equivalent short versions might be (just an example, I'm not sure if date
command has such variations between different unix versions):
date -d "$dateStr" -u +"%m-%d-%Y"
Unfortunately I don't have the exact same environment you're using (ksh in unix), but that should work.
The -d
options seems to be GNU specific, so if it's not available, you'll have to manually parse the string. Assuming that dateStr
has the value Oct 31 00:00:00 2013 GMT
, you can run:
printf '%s\n' "$dateStr" | awk '{ printf "%02d-%02d-%04d\n", (index("JanFebMarAprMayJunJulAugSepOctNovDec",$1)+2)/3, $2, $4}'
The output is:
10-31-2013
How can I convert a PFX certificate file for use with Apache on a linux server?
With OpenSSL you can convert pfx to Apache compatible format with next commands:
openssl pkcs12 -in domain.pfx -clcerts -nokeys -out domain.cer
openssl pkcs12 -in domain.pfx -nocerts -nodes -out domain.key
First command extracts public key to domain.cer
.
Second command extracts private key to domain.key
.
Update your Apache configuration file with:
<VirtualHost 192.168.0.1:443>
...
SSLEngine on
SSLCertificateFile /path/to/domain.cer
SSLCertificateKeyFile /path/to/domain.key
...
</VirtualHost>
Related Topics
Different File Owner Inside Docker Container and in Host MAChine
How to Append to a File Using X86-64 Linux System Calls
Cpu Usage Percent from Linux Server
How to Run a Mips Binary on X86 Platform
About Process Control Block in Os
How to Register Fuse Filesystem Type with Mount(8) and Fstab
Check If Service Exists in Bash (Centos and Ubuntu)
How to Check If a Process Is in Hang State (Linux)
How to Use Linux Command Sort to Sort the Text File According to 4Th Column, Numeric Order
How to Start Postgresql Service on Centos 7
Setting Environment Variable Globally Without Restarting Ubuntu
Linux: How to Know the Module That Exports a Device Node
How to Calculate System Memory Usage from /Proc/Meminfo (Like Htop)
How the Util of iOStat Is Computed
How to Load Luks Passphrase from Usb, Falling Back to Keyboard
Convert Multipage PDF to a Single Image
Which Gantt Chart/Project Management Tool Would You Recommend for Linux