The DER extension is used for binary DER encoded certificates. These files may also bear the CER or the CRT extension. Proper English usage would be “I have a DER encoded certificate” not “I have a DER certificate”.
The PEM extension is used for different types of X.509v3 files which contain ASCII (Base64) armored data prefixed with a “—– BEGIN …” line.
The CRT extension is used for certificates. The certificates may be encoded as binary DER or as ASCII PEM. The CER and CRT extensions are nearly synonymous. Most common among *nix systems
Alternate form of .crt (Microsoft Convention) You can use MS to convert .crt to .cer (.both DER encoded .cer, or base64[PEM] encoded .cer) The .cer file extension is also recognized by IE as a command to run a MS cryptoAPI command (specifically rundll32.exe cryptext.dll,CryptExtOpenCER) which displays a dialogue for importing and/or viewing certificate contents.
The KEY extension is used both for public and private PKCS#8 keys. The keys may be encoded as binary DER or as ASCII PEM. The only time CRT and CER can safely be interchanged is when the encoding type can be identical. (ie PEM encoded CRT = PEM encoded CER)
Use the command that has the extension of your certificate replacing cert.xxx with the name of your certificate
openssl x509 -in cert.pem -text -noout openssl x509 -in cert.cer -text -noout openssl x509 -in cert.crt -text -noout
If you get the folowing error it means that you are trying to view a DER encoded certifciate and need to use the commands in the “View DER encoded certificate below”.
unable to load certificate 12626:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:647:Expecting: TRUSTED CERTIFICATE
openssl x509 -in certificate.der -inform der -text -noout
If you get the following error it means that you are trying to view a PEM encoded certificate with a command meant for DER encoded certs. Use a command in the “View PEM encoded certificate above”.
unable to load certificate 13978:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1306: 13978:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:380:Type=X509
openssl x509 -in cert.crt -outform der -out cert.der
openssl x509 -in cert.crt -inform der -outform pem -out cert.pem
In some cases it is advantageous to combine multiple pieces of the X.509 infrastructure into a single file. One common example would be to combine both the private key and public key into the same certificate. The easiest way to combine certs keys and chains is to convert each to a PEM encoded certificate then simple copy the contents of each file into a new file. This is suitable for combining files to use in applications lie Apache. Some certs will come in a combined form. Where one file can contain any one of: Certificate, Private Key, Public Key, Signed Certificate, Certificate Authority (CA), and/or Authority Chain.
cat mycert.crt > chainedcert.crt cat subauth.crt >> chainedcert.crt cat auth.crt >> chainedcert.crt
Pour les certificats une adresse, la meilleure solution pour configurer votre certificat afin de sécuriser votre nom de domaine avec et sans www (ex : exemple.com et www.exemple.com) est de générer votre CSR avec le domaine seulement et non avec le sous domaine www. En effet, lorsque vous générez votre CSR pour le domaine seul, cela implique également l'adresse avec www. Pour les certificats multidomaines; il faut déclarer explicitement chaque domaine ou sous domaine à couvrir.
openssl genrsa -out monsite.dom-key.pem 2048 openssl req -new -key monsite.dom-key.pem -out monsite.dom-req.pem
Lors de cette étape, différentes questions vous seront posées afin de compléter la creation de la CSR et qui apparaîtront dans le certificat SSL. Les caractères suivants ne sont pas acceptés : < > ~! @ # $ % ^ * / \ ( ) ? . , &
Le nom de domaine pleinement qualifié. Si vous avez l'intention d'acheter un certificat SSL pour l'URL https://www.monsite.com, votre Common Name sera www.monsite.com. www.monsite.com
Le nom légal et exact de votre organisation / entreprise. Ne pas utiliser d'abréviation sauf pour les dénominations SA, SARL, EURL etc…
Département au sein de l'entrepise qui va utiliser le certificat SSL.
La ville où votre entreprise est légalement établi.
La région où votre entreprise est légalement établie.
Le code pays à 2 lettres où votre entreprise est légalement établie FR pour France. Attention : ne pas saisir les attributs supplémentaires. Attention : ne pas rentrer de mot de passe pour le challenge (appuyez simplement sur entrée)
Exemple :
Country Name (2 letter code) [AU]:FR State or Province Name (full name) [Some-State]:Bretagne Locality Name (eg, city) []:Lorient Organization Name (eg, company) [Internet Widgits Pty Ltd]:Ma Societe SARL Organizational Unit Name (eg, section) []:marketing Common Name (eg, YOUR name) []:www.monsite.com Email Address []:contact@monsite.com
openssl rsa <mail.mssante.cgm.net.key >mail.mssante.cgm.net_clear.key openssl dsa <mail.mssante.cgm.net.key >mail.mssante.cgm.net_clear.key
openssl pkcs12 -export -out out_cert.pfx -inkey private.key -in domain.crt -certfile ca-bundle.crt
openssl pkcs12 -in infile.pfx -nocerts -nodes -out outfile.key openssl pkcs12 -in infile.pfx -nokeys -out outfile_fullchain.pem
for CERTIF in $(find -name "*.p7b"); do FILEBN=$(basename --suffix .p7b $CERTIF) openssl pkcs7 -in $FILEBN.p7b -inform DER -print_certs -out $FILEBN.pem echo "=================================================================================" echo "= Converted $FILEBN.p7b to $FILEBN.pem, contend hereunder :" echo "=================================================================================" openssl x509 -in $FILEBN.pem -text -noout done for CERTFILE in $(find \( -name "*.crt" -o -name "*.pem" \)); do # make sure file exists and is a valid cert test -f "$CERTFILE" || continue HASH=$(openssl x509 -noout -hash -in "$CERTFILE") echo $HASH test -n "$HASH" || continue # use lowest available iterator for symlink for ITER in 0 1 2 3 4 5 6 7 8 9; do test -f "${HASH}.${ITER}" && continue ln -s "$CERTFILE" "${HASH}.${ITER}" test -L "${HASH}.${ITER}" && break done done