openssl 指令 command line – 轉檔 pem/der/p7b/pfx/cer

實在很令人混亂的東西，有時後叫 pem，有時後叫 crt，也有 cert 等等，結論就是我把 crt / key / ca 塞入的就叫 pem。

其實 crt 與 cert 都是 certificate 的縮寫，平常我會把它檔名叫 server.crt，

而 .cer 與 .pfx 與 .p7b 都是 windows 可讀的格式，且 .cer 有分 der 編碼過後的 與 base64 編碼過後的，

der 是二進制格式 (內容是亂碼)，base64 就是 plain text (擺明就跟 crt 一樣嘛)，

.pfx 與 .p7b 當然就是二進制格式 (內容是亂碼)。

另外 .pem 也是存 plain text 格式，它是把 .crt 與 .key 包在裡面了。

不管如何，

ssl 憑證公錀 public key 就是  —–BEGIN CERTIFICATE—– 開頭 —–END CERTIFICATE—– 結尾

ssl 憑證私錀 private key 就是 —–BEGIN RSA PRIVATE KEY—– 開頭 —–END RSA PRIVATE KEY—– 結尾

轉檔

crt 轉成 cer (DER 編碼二進制格式) (也可以在 windows 下點它 > 詳細資料 > 複製到檔案)

openssl x509 -in server.crt -out server.cer -outform DER

cer (DER 編碼二進制格式) 轉成 crt

openssl x509 -in server.cer -out server2.crt -inform DER

合併 crt 與 key 為 pfx (pkcs12 或叫 p12) (IIS 用) (含公鑰和私鑰的二進制格式證書) (如果有 ca 也可放，它是中繼憑證)

openssl pkcs12 -export -in server.crt -inkey server.key -out server.pfx -certfile ca.crt -password pass:123456

將 pfx 解開 (內含 crt、key 及 ca)，這裡我就把它存成 pem (why ? 就同上面提到的說明)

openssl pkcs12 -in server.pfx -out server.pem -nodes -password pass:123456

將 pfx 解開 (只取 crt 及 ca)

openssl pkcs12 -in server.pfx -nokeys -out server2.crt -nodes -password pass:123456

將 pfx 解開 (只取 key)

openssl pkcs12 -in server.pfx -nocerts -out server2.key -nodes -password pass:123456

crt 轉成 p7b

openssl crl2pkcs7 -nocrl -certfile server.crt -out server.p7b -certfile ca.crt

p7b 轉成 pem

openssl pkcs7 -print_certs -in server.p7b -out server2.pem

jks (為 Java 憑證) (pfx 也可以用於 java)

先將 crt 與 key 合成 pfx
再把 pfx 轉成 jks
keytool -importkeystore -srckeystore server.pfx -destkeystore server.jks -srcstoretype PKCS12 -deststoretype jks -srcstorepass 123456 -deststorepass 123456

jks 轉 pfx

keytool -importkeystore -srckeystore server.jks -destkeystore server2.pfx -srcstoretype jks -deststoretype PKCS12  -srcstorepass 123456 -deststorepass 123456

驗證

https://www.thesslstore.com/ssltools/match-ssl-elements.php
Certificate Key Matcher
Match your CSR, SSL Certificate and Private Key Pairs

三個的值都會是相同的

openssl pkey -in server.key -pubout -outform pem | sha256sum
openssl x509 -in server.crt -pubkey -noout -outform pem | sha256sum
openssl req -in server.csr -pubkey -noout -outform pem | sha256sum

查看 crt

openssl x509 -in server.crt -text -noout

查看 cer (DER 編碼二進制格式)

openssl x509 -in server.cer -inform DER -text -noout

查看 key (private key)

openssl rsa -in server.key -text -noout

檢查憑證

openssl verify server.crt

查看 csr 內容

openssl req -in server.csr -text -noout

查看 csr 內容並檢查

openssl req -in server.csr -text -verify -noout

檢查 csr 與 private key

openssl req -in server.csr -noout -verify -key server.key

檢查 private key

openssl rsa -noout -text -check -in server.key

檢查 server.pfx

openssl pkcs12 -info -in server.pfx

檢查 server.jks

keytool -v -list -storetype jks -keystore server.jks -storepass 123456

SSL 憑證說明 .P7B (PKCS#7) .PFX/.P12 (PKCS#12) .PEM, .DER, .CRT, .CER
引用 https://knowledge.digicert.com/generalinformation/INFO4448.html

PEM Format

It is the most common format used for certificates
Most servers (Ex: Apache) expects the certificates and private key to be in a separate files
-   Usually they are Base64 encoded ASCII files
-   Extensions used for PEM certificates are .cer, .crt, .pem, .key files
-   Apache and similar server uses PEM format certificates
 
DER Format
 

The DER format is the binary form of the certificate
All types of certificates & private keys can be encoded in DER format
DER formatted certificates do not contain the "BEGIN CERTIFICATE/END CERTIFICATE" statements
DER formatted certificates most often use the ‘.cer’ and '.der' extensions
DER is typically used in Java Platforms
 

P7B/PKCS#7 Format
 

The PKCS#7 or P7B format is stored in Base64 ASCII format and has a file extension of .p7b or .p7c
A P7B file only contains certificates and chain certificates (Intermediate CAs), not the private key
The most common platforms that support P7B files are Microsoft Windows and Java Tomcat
 

PFX/P12/PKCS#12 Format 
 

The PKCS#12 or PFX/P12 format is a binary format for storing the server certificate, intermediate certificates, and the private key in one encryptable file
These files usually have extensions such as .pfx and .p12
They are typically used on Windows machines to import and export certificates and private keys