jacky9813/certificate.rst

## certificate.rst

      
    Raw
  

              certificate.rst
            
          
    Certificates


Related Documents


RFC 5280 (X.509): https://datatracker.ietf.org/doc/html/rfc5280
The de facto standard for certificate format.


RFC 2315 (PKCS#7): https://datatracker.ietf.org/doc/html/rfc2315
Contains multiple certificates like an archive file but just
for certificates.


RFC 7292 (PKCS#12): https://datatracker.ietf.org/doc/html/rfc7292
Contains multiple certificates and (quite often) the private key for the
certificate.


RFC 7468 (PEM encoding): https://datatracker.ietf.org/doc/html/rfc7468
Encode supported X.690 (DER) encoded file(s) into printable, BASE-64 encoded file(s)


OpenSSL 1.1.1 Man Pages: https://www.openssl.org/docs/man1.1.1/man1/


Format Convertion Cheat Sheet

[-out file]: An optional parameter for the command.
{-clcerts|-chain}: Choose one parameter for the command.


Input \ Output
X.509 PEM
X.509 DER
PKCS#7 PEM
PKCS#7 DER
PKCS#12


X.509 PEM
--
openssl x509 -in cert.x509.pem -outform DER [-out cert.x509.der]
openssl crl2pkcs7 -certfile certs.x509.pem -nocrl [-out certs.p7.pem]
Convert to PKCS#7 PEM first.
openssl pkcs12 -export -in chain.x509.pem [-inkey key.p8.pem] [-out bundle.pfx]

X.509 DER
openssl x509 -in cert.x509.der -inform DER [-out cert.x509.pem]
--
Convert to X.509 PEM first.
Convert to X.509 PEM first.
Convert to X.509 PEM first.

PKCS#7 PEM
openssl pkcs7 -in cert.p7.pem -print_certs [-out certs.x509.pem]
Convert to X.509 PEM first.
--
openssl pkcs7 -in certs.p7.pem -outform DER [-out certs.p7.der]
Convert to X.509 PEM first.

PKCS#7 DER
openssl pkcs7 -in cert.p7.der -inform DER -print_certs [-out certs.x509.pem]
Convert to X.509 PEM first.
openssl pkcs7 -in cert.p7.der -inform DER [-out cert.p7.pem]
--
Convert to X.509 PEM first.

PKCS#12
openssl pkcs12 -in bundle.pfx -nokeys {-clcerts|-chain} [-out cert.x509.pem]
Convert to X.509 PEM first.
Convert to X.509 PEM first.
Convert to X.509 PEM first.
--


Note
While other format supports multiple certificates in one file, X.509 DER supports only one certificate.
Input \ Output	X.509 PEM	X.509 DER	PKCS#7 PEM	PKCS#7 DER	PKCS#12
X.509 PEM	--	openssl x509 -in cert.x509.pem -outform DER [-out cert.x509.der]	openssl crl2pkcs7 -certfile certs.x509.pem -nocrl [-out certs.p7.pem]	Convert to PKCS#7 PEM first.	openssl pkcs12 -export -in chain.x509.pem [-inkey key.p8.pem] [-out bundle.pfx]
X.509 DER	openssl x509 -in cert.x509.der -inform DER [-out cert.x509.pem]	--	Convert to X.509 PEM first.	Convert to X.509 PEM first.	Convert to X.509 PEM first.
PKCS#7 PEM	openssl pkcs7 -in cert.p7.pem -print_certs [-out certs.x509.pem]	Convert to X.509 PEM first.	--	openssl pkcs7 -in certs.p7.pem -outform DER [-out certs.p7.der]	Convert to X.509 PEM first.
PKCS#7 DER	openssl pkcs7 -in cert.p7.der -inform DER -print_certs [-out certs.x509.pem]	Convert to X.509 PEM first.	openssl pkcs7 -in cert.p7.der -inform DER [-out cert.p7.pem]	--	Convert to X.509 PEM first.
PKCS#12	openssl pkcs12 -in bundle.pfx -nokeys {-clcerts\|-chain} [-out cert.x509.pem]	Convert to X.509 PEM first.	Convert to X.509 PEM first.	Convert to X.509 PEM first.	--