====== Howto - certificats SSL ======

===== Extensions / filetypes =====

==== .DER ====

The DER extension is used for binary DER encoded certificates. These files may also bear the CER or the CRT extension. Proper English usage would be “I have a DER encoded certificate” not “I have a DER certificate”.

==== .PEM ====

The PEM extension is used for different types of X.509v3 files which contain ASCII (Base64) armored data prefixed with a “—– BEGIN …” line.

==== .CRT ====

The CRT extension is used for certificates. The certificates may be encoded as binary DER or as ASCII PEM. The CER and CRT extensions are nearly synonymous.  Most common among *nix systems

==== .CER ====

Alternate form of .crt (Microsoft Convention) You can use MS to convert .crt to .cer (.both DER encoded .cer, or base64[PEM] encoded .cer)  The .cer file extension is also recognized by IE as a command to run a MS cryptoAPI command (specifically rundll32.exe cryptext.dll,CryptExtOpenCER) which displays a dialogue for importing and/or viewing certificate contents.

==== .KEY ====

The KEY extension is used both for public and private PKCS#8 keys. The keys may be encoded as binary DER or as ASCII PEM.
The only time CRT and CER can safely be interchanged is when the encoding type can be identical.  (ie  PEM encoded CRT = PEM encoded CER)

===== Display certificate content =====
Use the command that has the extension of your certificate replacing cert.xxx with the name of your certificate

<code bash>
openssl x509 -in cert.pem -text -noout
openssl x509 -in cert.cer -text -noout
openssl x509 -in cert.crt -text -noout
</code>

If you get the folowing error it means that you are trying to view a DER encoded certifciate and need to use the commands in the "View DER encoded certificate below".

  unable to load certificate
    12626:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:647:Expecting: TRUSTED CERTIFICATE

===== View DER encoded Certificate =====

<code bash>
openssl x509 -in certificate.der -inform der -text -noout
</code>

If you get the following error it means that you are trying to view a PEM encoded certificate with a command meant for DER encoded certs. Use a command in the "View PEM encoded certificate above".

  unable to load certificate
	13978:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1306:
	13978:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:380:Type=X509

===== Transform =====

==== PEM to DER ====

<code bash>
openssl x509 -in cert.crt -outform der -out cert.der
</code>

==== DER to PEM ====

<code bash>
openssl x509 -in cert.crt -inform der -outform pem -out cert.pem
</code>

===== Combination/Extraction =====

In some cases it is advantageous to combine multiple pieces of the X.509 infrastructure into a single file.  One common example would be to combine both the private key and public key into the same certificate. The easiest way to combine certs keys and chains is to convert each to a PEM encoded certificate then simple copy the contents of each file into a new file.   This is suitable for combining files to use in applications lie Apache. Some certs will come in a combined form.  Where one file can contain any one of: Certificate, Private Key, Public Key, Signed Certificate, Certificate Authority (CA), and/or Authority Chain.

==== Chained certificate ====

<code bash>
cat mycert.crt > chainedcert.crt
cat subauth.crt >> chainedcert.crt
cat auth.crt >> chainedcert.crt
</code>

Pour les certificats une adresse, la meilleure solution pour configurer votre certificat afin de sécuriser votre nom de domaine avec et sans www (ex : exemple.com et www.exemple.com) est de générer votre CSR avec le domaine seulement et non avec le sous domaine www. En effet, lorsque vous générez votre CSR pour le domaine seul, cela implique également l'adresse avec www.
Pour les certificats multidomaines; il faut déclarer explicitement chaque domaine ou sous domaine à couvrir. 

===== Processus de demande de certificat =====

  * générer la clef SSL (sans mot de passe) :

<code bash>
openssl genrsa -out monsite.dom-key.pem 2048
openssl req -new -key monsite.dom-key.pem -out monsite.dom-req.pem
</code>

Lors de cette étape, différentes questions vous seront posées afin de compléter la creation de la CSR et qui apparaîtront dans le certificat SSL. Les caractères suivants ne sont pas acceptés : < > ~! @ # $ % ^ * / \ ( ) ? . , &

  * **Common Name/Nom commun/CN :** secure.monsite.com
Le nom de domaine pleinement qualifié. Si vous avez l'intention d'acheter un certificat SSL pour l'URL https://www.monsite.com, votre Common Name sera www.monsite.com.	www.monsite.com

  * **Organization/Organisation :** Ma Société SARL
Le nom légal et exact de votre organisation / entreprise.
Ne pas utiliser d'abréviation sauf pour les dénominations SA, SARL, EURL etc...
  * **Organization Unit/Departement :** Marketing
Département au sein de l'entrepise qui va utiliser le certificat SSL.
  * **City/Ville : **Lorient
La ville où votre entreprise est légalement établi.
  * **State/Région :** Bretagne
La région où votre entreprise est légalement établie.
  * **Country/Pays :** FR
Le code pays à 2 lettres où votre entreprise est légalement établie	FR pour France.
**Attention :** ne pas saisir les attributs supplémentaires.
**Attention :** ne pas rentrer de mot de passe pour le challenge (appuyez simplement sur entrée)

**Exemple :**

  Country Name (2 letter code) [AU]:FR
  State or Province Name (full name) [Some-State]:Bretagne
  Locality Name (eg, city) []:Lorient
  Organization Name (eg, company) [Internet Widgits Pty Ltd]:Ma Societe SARL
  Organizational Unit Name (eg, section) []:marketing
  Common Name (eg, YOUR name) []:www.monsite.com
  Email Address []:contact@monsite.com

===== Déchiffer une clef =====

<code bash>
openssl rsa <mail.mssante.cgm.net.key >mail.mssante.cgm.net_clear.key
openssl dsa <mail.mssante.cgm.net.key >mail.mssante.cgm.net_clear.key
</code>


==== key et crt => PKCS12/PFX ====
<code bash>
openssl pkcs12 -export -out out_cert.pfx -inkey private.key -in domain.crt -certfile ca-bundle.crt
</code>

==== pcks12 => pem + key pour openssl (import de certificat depuis win) ====
<code bash>
openssl pkcs12 -in infile.pfx -nocerts -nodes -out outfile.key
openssl pkcs12 -in infile.pfx -nokeys -out outfile_fullchain.pem
</code>

==== pcks7 => pem + hash pour openssl (import de root CA local pki AD) ====
<code bash>
for CERTIF in $(find -name "*.p7b"); do
  FILEBN=$(basename --suffix .p7b $CERTIF)
  openssl pkcs7 -in $FILEBN.p7b -inform DER -print_certs -out $FILEBN.pem
  echo "================================================================================="
  echo "= Converted $FILEBN.p7b to $FILEBN.pem, contend hereunder :"
  echo "================================================================================="
  openssl x509 -in $FILEBN.pem -text -noout
done

for CERTFILE in $(find \( -name "*.crt" -o -name "*.pem" \)); do
  # make sure file exists and is a valid cert
  test -f "$CERTFILE" || continue
  HASH=$(openssl x509 -noout -hash -in "$CERTFILE")
  echo $HASH
  test -n "$HASH" || continue

  # use lowest available iterator for symlink
  for ITER in 0 1 2 3 4 5 6 7 8 9; do
    test -f "${HASH}.${ITER}" && continue
    ln -s "$CERTFILE" "${HASH}.${ITER}"
    test -L "${HASH}.${ITER}" && break
  done
done

</code>