OS4X Core - list of support certificate formats
Background
For handling X509v3 certificates and keys, several format exist. In general, file suffix names (such as ".cer", ".der", ".pem" or others) are only a hint of what format is included in the file, but this does not neccessarily mean that the format is really represented in the file itself. So, when dealing with several file formats, you will have to determine which certificate format is really included in the file.
This is a list of supported certificate formats which OS4X can deal with:
X509v3 PEM encoded certificate
Suffixes known
.cer.cert.pem
Description
This format is an ASCII, textual representation of a BASE64 encoded certificate format. The content is readable in a text editor. The file has a header and footer line:
-----BEGIN CERTIFICATE-----
(some BASE64 encoded content)
-----END CERTIFICATE-----
Support in OS4X
This file format is the main format used in OS4X, used in several places:
- TLS server and client certificate (PEM format is expected; according to every automatism generated on the fly)
- trusted certificates (automatic conversion into this format is implemented for DER and PKCS#7)
- partner certificates (used for en-/decryption and signature [verification] processes; automatic conversion into this format is implemented for DER and PKCS#7)
openSSL example
Display a certificate in human-readable form:
openssl x509 -in test.cer -noout -text
X509v3 DER encoded certificate
Suffixes known
.cer.der
Description
This binary format for X509v3 certificate is an ASN.1 formatted binary file which cannot be read in a text editor. This format is used i.e. for automatic OFTP2 certificate exchange. We have an article available about converting from and to DER formatted certificates: OS4X Core - changing certificate format (PEM & DER).
Support in OS4X
- trusted certificates (automatic conversion into PEM format is implemented)
- partner certificates (used for en-/decryption and signature [verification] processes; automatic conversion into PEM format is implemented)
openSSL example
Display a certificate in human-readable form:
openssl x509 -in test.cer -inform DER -noout -text
PKCS#7 PEM formatted certificate archive
Suffixes known
.pkcs7.pfx.p7b
Description
This format is an ASCII, textual representation of a BASE64 encoded certificate archive format. The content is readable in a text editor. The file has a header and footer line:
-----BEGIN PKCS7-----
(some BASE64 encoded content)
-----END PKCS7-----
Support in OS4X
PKCS#7 certificate archives are supported to be imported in the trusted certificates store. Each certificate included in the archive is being extracted as a separate PEM formatted certificate.
openSSL example
Create PKCS#7 PEM encoded archive with certificate files "testcert1.cer", "testcert2.cer" and "testcert3.cer"
openssl crl2pkcs7 -nocrl -certfile testcert1.cer -certfile testcert2.cer -certfile testcert3.cer -out outfile.p7b
Display content of archive as list if PEM encoded certificate:
openssl pkcs7 -in inputfile.p7b -print_certs
PKCS#7 DER Formatted certificate archive
Description
This binary format for PKCS#7 certificate archives is an ASN.1 formatted binary file which cannot be read in a text editor.
Support in OS4X
PKCS#7 certificate archives in DER format are supported to be imported in the trusted certificates store. Each certificate included in the archive is being extracted as a separate PEM formatted certificate.
openSSL example
Create PKCS#7 DER encoded archive with certificate files "testcert1.cer", "testcert2.cer" and "testcert3.cer"
openssl crl2pkcs7 -nocrl -certfile testcert1.cer -certfile testcert2.cer -certfile testcert3.cer -out outfile.p7b -outform DER
Display content of archive as list if PEM encoded certificate:
openssl pkcs7 -in inputfile.p7b -print_certs -inform DER
PKCS#12 certificate archive
Suffixes known
.pfx.p12.pkcs12
Description
The file format PKCS#12 (also known as "PFX") is an archive format for certificate and private key transport. You can handle this file format manually in order to import certificate and private key information to OS4X. PFX files can be secured by a password, so when prompted for a password please provide this in the commands below. The following article explains the handling of this file format: OS4X Core - handle PFX/PKCS#12 file
Support in OS4X
Actually, PKCS#12 certificate archives must be extracted and handled manually. If you need support for this task, don't hesitate your software support.
openSSL RSA private key file
Suffixes known
.key.rsa.pem
Description
Since there exists no valid standard about RSA private key transport beside PKCS#12, each implementation of security libraries have their own format for RSA keys. The very popular openSSL implementation offers to save the RSA key in a PEM encoded format.
-----BEGIN RSA PRIVATE KEY-----
(some BASE64 encoded content)
-----END RSA PRIVATE KEY-----
For openSSL implementations, the RSA private key can be stored in the same file as the public PEM formatted X509v3 certificate is saved. The RSA key can be optionally password protected. We have an article which helps you to deal with RSA private keys and certificates: OS4X Core - Extract private certificate & key from password protected certificate
Support in OS4X
OS4X supports the import of RSA private keys without password protection in the certificate request panel ("CSR"), where the certificate and key can be used to easily handle certificate(s) in the application.
Odette encrypted RSA private key file (PKCS#8 format private key file)
Suffixes known
.epk
Description
Odette provides an easy to use tool for certificate ordering (aka. creating a Certificate Signing Request, CSR). The basis is your private key, which must reside on your side and must never leave your installation. The created password file is in PKCS8 format and is protected by a password.
openSSL example
In order to extract the private key in a usable form for OS4X, you can use a recent openSSL installation supporting this format by invoking this command:
openssl pkcs8 -in my.company.com.epk -inform DER -outform PEM -out my_rsa.key
You will be prompted for your password. After a successful input, a file "my_rsa.key" will be created.