Table des matières

Howto - certificats SSL

Extensions / filetypes

.DER

The DER extension is used for binary DER encoded certificates. These files may also bear the CER or the CRT extension. Proper English usage would be “I have a DER encoded certificate” not “I have a DER certificate”.

.PEM

The PEM extension is used for different types of X.509v3 files which contain ASCII (Base64) armored data prefixed with a “—– BEGIN …” line.

.CRT

The CRT extension is used for certificates. The certificates may be encoded as binary DER or as ASCII PEM. The CER and CRT extensions are nearly synonymous. Most common among *nix systems

.CER

Alternate form of .crt (Microsoft Convention) You can use MS to convert .crt to .cer (.both DER encoded .cer, or base64[PEM] encoded .cer) The .cer file extension is also recognized by IE as a command to run a MS cryptoAPI command (specifically rundll32.exe cryptext.dll,CryptExtOpenCER) which displays a dialogue for importing and/or viewing certificate contents.

.KEY

The KEY extension is used both for public and private PKCS#8 keys. The keys may be encoded as binary DER or as ASCII PEM. The only time CRT and CER can safely be interchanged is when the encoding type can be identical. (ie PEM encoded CRT = PEM encoded CER)

Display certificate content

Use the command that has the extension of your certificate replacing cert.xxx with the name of your certificate

openssl x509 -in cert.pem -text -noout
openssl x509 -in cert.cer -text -noout
openssl x509 -in cert.crt -text -noout

If you get the folowing error it means that you are trying to view a DER encoded certifciate and need to use the commands in the “View DER encoded certificate below”.

unable to load certificate
  12626:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:647:Expecting: TRUSTED CERTIFICATE

View DER encoded Certificate

openssl x509 -in certificate.der -inform der -text -noout

If you get the following error it means that you are trying to view a PEM encoded certificate with a command meant for DER encoded certs. Use a command in the “View PEM encoded certificate above”.

unable to load certificate
13978:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1306:
13978:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:380:Type=X509

Transform

PEM to DER

openssl x509 -in cert.crt -outform der -out cert.der

DER to PEM

openssl x509 -in cert.crt -inform der -outform pem -out cert.pem

Combination/Extraction

In some cases it is advantageous to combine multiple pieces of the X.509 infrastructure into a single file. One common example would be to combine both the private key and public key into the same certificate. The easiest way to combine certs keys and chains is to convert each to a PEM encoded certificate then simple copy the contents of each file into a new file. This is suitable for combining files to use in applications lie Apache. Some certs will come in a combined form. Where one file can contain any one of: Certificate, Private Key, Public Key, Signed Certificate, Certificate Authority (CA), and/or Authority Chain.

Chained certificate

cat mycert.crt > chainedcert.crt
cat subauth.crt >> chainedcert.crt
cat auth.crt >> chainedcert.crt

Pour les certificats une adresse, la meilleure solution pour configurer votre certificat afin de sécuriser votre nom de domaine avec et sans www (ex : exemple.com et www.exemple.com) est de générer votre CSR avec le domaine seulement et non avec le sous domaine www. En effet, lorsque vous générez votre CSR pour le domaine seul, cela implique également l'adresse avec www. Pour les certificats multidomaines; il faut déclarer explicitement chaque domaine ou sous domaine à couvrir.

Processus de demande de certificat

openssl genrsa -out monsite.dom-key.pem 2048
openssl req -new -key monsite.dom-key.pem -out monsite.dom-req.pem

Lors de cette étape, différentes questions vous seront posées afin de compléter la creation de la CSR et qui apparaîtront dans le certificat SSL. Les caractères suivants ne sont pas acceptés : < > ~! @ # $ % ^ * / \ ( ) ? . , &

Le nom de domaine pleinement qualifié. Si vous avez l'intention d'acheter un certificat SSL pour l'URL https://www.monsite.com, votre Common Name sera www.monsite.com. www.monsite.com

Le nom légal et exact de votre organisation / entreprise. Ne pas utiliser d'abréviation sauf pour les dénominations SA, SARL, EURL etc…

Département au sein de l'entrepise qui va utiliser le certificat SSL.

La ville où votre entreprise est légalement établi.

La région où votre entreprise est légalement établie.

Le code pays à 2 lettres où votre entreprise est légalement établie FR pour France. Attention : ne pas saisir les attributs supplémentaires. Attention : ne pas rentrer de mot de passe pour le challenge (appuyez simplement sur entrée)

Exemple :

Country Name (2 letter code) [AU]:FR
State or Province Name (full name) [Some-State]:Bretagne
Locality Name (eg, city) []:Lorient
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Ma Societe SARL
Organizational Unit Name (eg, section) []:marketing
Common Name (eg, YOUR name) []:www.monsite.com
Email Address []:contact@monsite.com

Déchiffer une clef

openssl rsa <mail.mssante.cgm.net.key >mail.mssante.cgm.net_clear.key
openssl dsa <mail.mssante.cgm.net.key >mail.mssante.cgm.net_clear.key

key et crt => PKCS12/PFX

openssl pkcs12 -export -out out_cert.pfx -inkey private.key -in domain.crt -certfile ca-bundle.crt

pcks12 => pem + key pour openssl (import de certificat depuis win)

openssl pkcs12 -in infile.pfx -nocerts -nodes -out outfile.key
openssl pkcs12 -in infile.pfx -nokeys -out outfile_fullchain.pem

pcks7 => pem + hash pour openssl (import de root CA local pki AD)

for CERTIF in $(find -name "*.p7b"); do
  FILEBN=$(basename --suffix .p7b $CERTIF)
  openssl pkcs7 -in $FILEBN.p7b -inform DER -print_certs -out $FILEBN.pem
  echo "================================================================================="
  echo "= Converted $FILEBN.p7b to $FILEBN.pem, contend hereunder :"
  echo "================================================================================="
  openssl x509 -in $FILEBN.pem -text -noout
done
 
for CERTFILE in $(find \( -name "*.crt" -o -name "*.pem" \)); do
  # make sure file exists and is a valid cert
  test -f "$CERTFILE" || continue
  HASH=$(openssl x509 -noout -hash -in "$CERTFILE")
  echo $HASH
  test -n "$HASH" || continue
 
  # use lowest available iterator for symlink
  for ITER in 0 1 2 3 4 5 6 7 8 9; do
    test -f "${HASH}.${ITER}" && continue
    ln -s "$CERTFILE" "${HASH}.${ITER}"
    test -L "${HASH}.${ITER}" && break
  done
done