Difference between revisions of "OS4X Core - changing certificate format (PEM & DER)"

Latest revision as of 05:52, 9 June 2015

Some systems (mainly Windows systems) rely on the correct certificate format and/or filename extension. For these, it's important to provide certificates in the requested format.

Formats

Certificates can be saved in different formats. The main used formats are being discussed here.

PEM format

In OS4X, (nearly) all certificates files are used in PEM format. This format is ASCII based, but not human-readable. Example:

-----BEGIN CERTIFICATE-----
MIIIDjCCA/agAwIBAgIKDHqkbqj+u6Pu5zANBgkqhkiG9w0BAQUFADCBizELMAkG
A1UEBhMCREUxFjAUBgNVBAcMDUhvbHpnZXJsaW5nZW4xFTATBgNVBAoMDGMtd29y
a3MgR21iSDEVMBMGA1UECwwMQ2VydGlmaWNhdGVzMREwDwYDVQQDDAhPRlRQMiBD
....
....
XzzlP6zaRt8unDhj35nUzCdXUYsm9b1zgSJYuE5B7vu+aMB4/T9i1DhLn8RopIVg
/vJihDj34jNKGRFMAIlLirvpn7nJJ2NIE0u+cpF70IcDkZ9Wqduy7OUr+PRz5wB+
1ZOcWL2hOIxxNP5PcqIYAiwmvjDXfgzJqbPw1qoPYQRxHSo+cMLHDq+7U9cC0AMR
8/o=
-----END CERTIFICATE-----

In Windows, these files may have the following file extensions:

.cer
.pem

Depending on your system, you can directly import these certificates. Maybe you need to rename the file extension from ".pem" to ".cer".

DER format

The DER format is a binary formatted file which is not human-readable. Windows system often refer to the certificate filename extension ".der".

P7B format

The P7B format is a container which may contain one or more certificates. It may be DER or PEM formatted (see above).

Converting line ending

If the Windows based system is not able to import your certificate, it may be needed to change the Unix line ending ("line feed") to the Windows format ("carriage return & line feed"). You can make this conversion in several ways:

root@os4xbox:/tmp# unix2dos certificateFile.cer
unix2dos: File certificateFile.cer will be formatted to DOS format ...

Using "sed" (i.e. if "unix2dos" is not installed):

sed 's/$'"/`echo \\\r`/" certificateFile.cer > certificateFile_windows.cer

Converting file format

If the remote side needs another certificate format, you have to change it.

Convert from PEM to DER

openssl x509 -in inputCertificate.pem -out outputCertificate.der -inform PEM -outform DER

Convert from DER to PEM

 openssl x509 -in inputCertificate.der -out outputCertificate.pem -inform DER -outform PEM

@@ Line 1: / Line 1: @@
 Some systems (mainly Windows systems) rely on the correct certificate format and/or filename extension. For these, it's important to provide certificates in the requested format.
+== Formats ==
+Certificates can be saved in different formats. The main used formats are being discussed here.
+=== PEM format ===
 '''In OS4X, (nearly) all certificates files are used in PEM format.''' This format is ASCII based, but not human-readable. Example:
@@ Line 18: / Line 23: @@
   .cer
   .pem
-Depending on your system, you can directly import these certificates.
+Depending on your system, you can directly import these certificates. Maybe you need to rename the file extension from "<code>.pem</code>" to "<code>.cer</code>".
+=== DER format ===
+The DER format is a binary formatted file which is not human-readable. Windows system often refer to the certificate filename extension "<code>.der</code>".
+=== P7B format ===
+The P7B format is a container which may contain one or more certificates. It may be DER or PEM formatted (see above).
 == Converting line ending ==
@@ Line 26: / Line 37: @@
 Using "<code>sed</code>" (i.e. if "unix2dos" is not installed):
   sed 's/$'"/`echo \\\r`/" certificateFile.cer > certificateFile_windows.cer
+== Converting file format ==
+If the remote side needs another certificate format, you have to change it.
+=== Convert from PEM to DER ===
+ openssl x509 -in inputCertificate.pem -out outputCertificate.der -inform PEM -outform DER
+=== Convert from DER to PEM ===
+  openssl x509 -in inputCertificate.der -out outputCertificate.pem -inform DER -outform PEM