Certificate Management with OpenSSL - General Stuff

Back to the guides index

Guides In This Section


Certificate And Key Formats

PEM

Can contain all of private keys (RSA and DSA), public keys (RSA and DSA) and (x509) certificates. It is the default format for OpenSSL. It stores data Base64 encoded DER format, surrounded by ascii headers, so is suitable for text mode transfers between systems.

DER

Can contain all of private keys, public keys and certificates. It stored according to the ASN1 DER format. It is headerless - PEM is text header wrapped DER. It is the default format for most browsers.

PKCS#12

Also known as PFX files. Can contain all of private keys, public keys and certificates. It stores in a binary format.
See here for more information on the format, and its support in OpenSSL


Converting Certificate Formats

Converting certificate formats is usually very straightforward with the OpenSSL tools. Check out the OpenSSL documentation for the specifics, but here is a whistle-stop guide.

To PKCS#12 (Netscape, IE etc) from PEM

openssl pkcs12 -export -in pem-certificate-and-key-file -out pkcs-12-certificate-and-key-file
openssl pkcs12 -export -in pem-certificate-file -inkey pem-key-file -out pkcs-12-certificate-and-key-file
openssl pkcs12 -export -in pem-certificate-file -nokeys -nodes -out pkcs-12-certificate-file

From PKCS#12 to PEM

openssl pkcs12 -in pkcs-12-certificate-file -out pem-certificate-file
openssl pkcs12 -in pkcs-12-certificate-and-key-file -out pem-certificate-and-key-file

From PEM/DER to DER/PEM - DSA Keys

openssl dsa -inform PEM|DER -outform DER|PEM -in pem-file|der-file -out der-file|pem-file

From PEM/DER to DER/PEM - RSA Keys

openssl rsa -inform PEM|DER -outform DER|PEM -in pem-file|der-file -out der-file|pem-file


Multiple Certificates In One File

In almost all cases, OpenSSL will assume that there's only one certificate in a given file. As such, it will generally only use the first certificate that it finds, and will ignore all others.

Normally, you will only have one certificate in a file, so that'll be OK. However, you may ocassionally come across files with several certificates in them. Unless you're going to be using this file as a CA bundle (where you list all the CA certificates you trust in one single file), you'll probably need to split your file into one per certificate.

First up, you'll want to check how many certificates a file holds. The simplest way to do that is with:

cat ca-certificate-file | grep -E 'BEGIN.* CERTIFICATE' | wc -l

If you get a number that's greater than 1, then you have multiple certificates in the file. Your best bet is to split the files after the "--END ... CERTIFICATE--" line (you may or may not have anything for "....")

One way to split it is using this perl program, which will handle finding the file ends for you, and prompt you for files to save certificates into.

Note that the format of a X509 PEM certificate is:

(Header Info)
------BEGIN (TRUSTED|X509) CERTIFICATE-----
(Certificate Data)
------END (TRUSTED|X509) CERTIFICATE-----

Using OpenSSL to get a CA Certificate

This will use the s_client function of OpenSSL

You will need to connect to a SSL service on a server which has a certificate signed by the required CA.

Run the following:
openssl s_client -showcerts -connect <myserver>:<ssl_port>
The server certificate is the first certificate returned, and will be PEM formatted. The CA certificate is the final certificate returned, and is also PEM formatted.
Send ^D to exit the session with the server.

Using OpenSSL to get a Server Certificate

This will use the s_client function of OpenSSL

You will obviously need to connect to a SSL service on the server to get its certificate.

Run the following:
openssl s_client -showcerts -connect <myserver>:<ssl_port>
The server certificate is the first certificate returned, and will be PEM formatted.
Send ^D to exit the session with the server.

Note that the s_client function doesn't check the default OpenSSL CA certificate store, so you would see verification errors with the above. You can get around this by passing it the argumnet -CApath <ssl-base-dir>certs/ (see here for a guide to <ssl-base-dir>).


For those of you using KDE, Konqueror also gives you an easy way to get at the server certificates. Go to "Settings->Configure Konqueror->Crypto", then select the cert, and then save.


Alternatives to running your own CA

If you don't wish to run your own Certificate Authority, but do wish to have certificates, there are serveral options. You could, of course, go to a commercial CA, and pay for email and server certificates as you need them.

Assuming you don't wish to pay for the certificates, you have two choices. Both are based on the Web Of Trust model - to be issued with certificates, you will have to get existing people in the web to certify your identity. Only once known to the web (by being notaried), will you get a certificate.

Choice number one for this is the Thawte Web Of Trust. Once in the web, you will be able to get a personal certificate suitable for use with email. The Thawte CA certificate is installed by default in most SSL and TLS enabled devices.

Choice number two is CA Cert. It is possible to get both personal certificates and server certificates, using similar notarisation methods to Thawte. Also, CA Cert is run by a not-for-profit group (Thate is owned by Verisign), who are keen to help. The disadvantage is that their CA certificate is installed in a much smaller range of software by default. (Their certificate may be easily installed, as other parts of this guide show).


Links


Guides Index
Written By: Nick Burch    Last modified: Friday, 02-Nov-2007 17:13:47 GMT
These pages are from http://www.gagravarr.org/writing/openssl-certs/
Creative Commons License This work is licensed under a Creative Commons License.