The user must also be aware that OpenSSL supports several certificate formats. Certificates are based on the DSA signature algorithm and the RSA algorithm for public-key cryptography according to PKCS algorithms, as described in [7].
The certificate format depends on the application, as there is no agreement on file format standards.
Private keys are usually available in the PEM and
DER format. The related files have names of the following type:
*key-rsa.pem for pem files
*key-rsa.der for der files
For OpenSSL applications, the PEM format should suffice.
For Java applications, the DER format might be more suitable
for importing the private key and certificates.
For certificates, the available formats are PEM, DER
and PKCS12 with file names of the following type:
*cert.pem for pem files
*cert.der for der files
*cert.p12 for pkcs12 files
In general, the PEM formats are mostly used in the Unix world,
PCKS12 in the Microsoft world and DER in the Java world.
Certificate files are ASN.1-encoded objects that may be encrypted according
to DES (Data Encryption Standard). The files can optionally be
encrypted using a symmetric cipher algorithm, such as 3DES.
An unencrypted PEM file might look something like this:
-----BEGIN CERTIFICATE-----
MB4CGQDUoLoCULb9LsYm5+/WN992xxbiLQlEuIsCAQM=
-----END CERTIFICATE-----
The string beginning with MB4C... is the Base64-encoded,
ASN.1-encoded object.
An encrypted file would have headers describing the type of encryption used, and the initialization vector:
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,C814158661DC1449
AFAZFbnQNrGjZJ/ZemdVSoZa3HWujxZuvBHzHNoesxeyqqidFvnydA==
-----END RSA PRIVATE KEY-----
The two headers Proc-Type and DEK-Info declare
the type of encryption, and the string starting with AFAZ... is
the Base64-encoded, encrypted, ASN.1-encoded object.
As web browsers make use of Java applications, they import/export certificates
in pkcs12 file format, i.e. public and private keys
are packed in one single file using the PKCS#12 algorithm.
Other applications require the pem format with unpacked public and
private keys, thus the user must remember the appropriate file format for
each application and must perform format conversions as appropriate.
The following tables report a summary of formats used for INFN-Grid applications and two simple scripts with format conversion commands.
| INFN-Grid Certificates Format Summary | |
| Certificate Type | Certificate Format |
|---|---|
| CA Authority Certificate | DER |
| Personal Certificate from CA | PKCS12 |
| Grid Access Certificate | PEM |
| CONVERT pkcs12 to pem |
#!/bin/sh |
# |
echo "copy your cert to cert.p12 - then run this script" |
# |
openssl pkcs12 -clcerts -nokeys -in cert.p12 -out usercert.pem |
openssl pkcs12 -nocerts -in cert.p12 -out userkey.pem |
| CONVERT pem to pkcs12 |
#!/bin/sh |
# |
echo "Verify that you are using the correct certificate pair (key/cert)" |
# |
openssl pkcs12 -export -out cert.p12 -inkey ./userkey.pem -in ./usercert.pem |