Skip to content

Instantly share code, notes, and snippets.

@SDx3

SDx3/certificate-knowledge.md

Last active April 3, 2020 13:39
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save SDx3/c1eb90e85c5e23aa37671bde63336252 to your computer and use it in GitHub Desktop.
Save SDx3/c1eb90e85c5e23aa37671bde63336252 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
certificate-knowledge.md

Digital certificates

Some background and hands-on information

Digital certificates come in many shapes and sizes. There are also a ton of tools to help you deal with them. This page contains some tips and tricks as well as technological backgrounds to help you understand what the heck you're doing.

Abstract Syntax Notation One (ASN.1)

ASN.1 is a way to write down "data structures". You can use it to define the protocol for complicated data you want to exchange. This is usually plain text and if you're smart you can read this:

FooProtocol DEFINITIONS ::= BEGIN

    FooQuestion ::= SEQUENCE {
        trackingNumber INTEGER,
        question       IA5String
    }

    FooAnswer ::= SEQUENCE {
        questionNumber INTEGER,
        answer         BOOLEAN
    }

END

This is pretty verbose for a computer so people designed BER and DER. DER should be familair to anybody working with certificates. DER is the "Distinguished Encoding Rules" and it defines a way to encode the text above into neat numbers like this:

30 13 02 01 05 16 0e 41 6e 79 62 6f 64 79 20 74 68 65 72 65 3f

If you are a robot and you decode this, you get something like this:

30 — type tag indicating SEQUENCE
13 — length in octets of value that follows
  02 — type tag indicating INTEGER
  01 — length in octets of value that follows
    05 — value (5)
  16 — type tag indicating IA5String 
     (IA5 means the full 7-bit ISO 646 set, including variants, 
      but is generally US-ASCII)
  0e — length in octets of value that follows
    41 6e 79 62 6f 64 79 20 74 68 65 72 65 3f — value ("Anybody there?")

DER is the standard notation for digital certificates (X.509). If you ever see a file called certificate.der now you know why it's called .der.

It's important to realize that DER files can also be made available as base64 (see below).

Base64

So when you're dealing with binary data like DER files it's pretty annoying. You can't copy paste it and if you change a letter by accident the entire certificate is broken. So base64 was designed to prevent just that:

Base64 converts any binary data to a string of normal letters (abcde...) that you can read. Or not really read but at least you can put it in Notepad and it won't complain. You can read the file. Here's an example of base64 data:

U2FuZGVyIGlzIGVlbiB0b2ZmZSBwZWVyLg==

You can often recognize base64 because of the == at the end. These don't really mean anything, they're used for padding. Interesting is that base64 files are about 33% larger than the original binary code.

OpenSSL can do base64 encoding and decoding for you:

openssl base64 -in normal.txt -out base64.txt

This will convert normal.txt to base64. The other way around is like this:

openssl base64 -d -in base64.txt -out normal.txt

To do this specifically for digital certificates, you require a slightly different command:

openssl x509 -outform der -in ca.crt.base64 -out ca.crt.der

This commands refers to DER (now you know why!).

To convert from DER to base64 (OpenSSL calls this PEM, see ahead).

openssl x509 -in ca.crt.der -outform pem -out ca.crt.base64

This is what you often see online when Googling for "DER encoding". Now you know that DER encoding with our without base64 is the same thing, it's just the base64 encoding which is optional.

The reason OpenSSL has a different command for this is because a base64 encoded file has some extra text at the beginning and end of the file.

Achtergrond: X509

Standaard voor digitale certificaten.

Certificaatbestanden en wat ze zijn:

Bestanden die je vaak ziet.

DER, CER, CRT, DER, PEM: ASN.1 bestand (in binaire vorm). Niet te lezen in notepad of makkelijk te copy-pasten.

In base64 encoden is een optie en maakt voor 90% van de systemen niks uit.

PEM: zelfde verhaal. Als een certificaat Base64 is kan je er meerdere in één bestand kwijt.

Wat weinigen weten: ---begin cert-- is er in vele varianten: key, CRL, etc.

Is vaak maar één type.

Minder vaak gezien: PKCS7

.p7b, .p7c extensie.

PKCS7 is een bestandsformaat om data uit te wisselen (een message). Dit formaat heeft ruimte voor een bericht, digitale handtekening en alle gebruikte certificaten. Wat je nog weleens ziet is een PKCS7 bestand zonder bericht en signature maar alleen de certificaten. Beetje zoals een lege envelop.

PFX en PKCS12

Specifiek bedoelt om crypto dingen op te slaan in één bestand. Kan van alles zijn, maar vaak cert, private key, andere info. Vaak gebruikt voor het maken van een key + cert in één bestand.

JKS

Java key store.

Tools en commando's.

OpenSSL kan in de meeste gevallen moeiteloos van alles naar alles converteren. PEM = base64, DER = niet base64.

  • certificaat converten van/naar base64.
  • dubbel certificaat (PEM met chain) converteren
  • Maak certificaat uit PKCS12
  • Maak meerdere certs uit PKCS12
  • Genereer zelf een cert
  • Genereer zelf een CA
  • Genereer een CSR

Keytool kan JKS dingen doen.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment