SSL Certificates Explained

/by

Note: This blogpost is also posted on my personal blog.

Using SSL certificates to secure website communications is more and more a standard procedure. Even internal websites are relying more and more on public or private PKI infrastructure and Certificate Authorities. And as each certificate is only valid for a limited period of time, you’ll find yourself renewing more and more certificates on a yearly basis. So let’s check out the different file extensions we are facing when working with certificates.

 

Certificate Signing Request (.csr)

The life cycle of a certificate starts by creating a certificate signing request (.csr) file that needs to be sent to and processed by a Certificate Authority (CA). Most CSRs are created in the Base-64 encoded PEM format, which can be viewed in a standard editor. The PEM format stores the request information between special tags.

A CSR file starts with the following tag: “—BEGIN NEW CERTIFICATE REQUEST—”
and ends with the following tag: “—END NEW CERTIFICATE REQUEST—”

A CSR file looks something like this:

-----BEGIN NEW CERTIFICATE REQUEST-----
(Your Certificate Signing Request: request.csr)
-----END NEW CERTIFICATE REQUEST-----

Most public Certificate Authorities and vendors provide guides for creating a certificate signing request with Microsoft’s IIS, Citrix NetScaler or Linux. Here are some links to different guides:

To create a Certificate Signing Request you can also use a commandline tool like openssl which is available for both Linux and Windows. Some sample openssl commands for CSRs are:

# Generate a new private key and certificate signing request:
openssl req -out request.csr -new -newkey rsa:2048 -nodes -keyout private.key

# Generate a certificate signing request for an existing private key
openssl req -out request.csr -key private.key -new

# Check a certificate signing request
openssl req -in request.csr -text -noout -verify

 

Private key (.key)

The private key for a certificate can be stored in a private key (.key) file. Most KEY files are stored in the Base64-encoded PEM format and can be viewed with a standard text editor

A KEY file starts with the following tag: “—BEGIN RSA PRIVATE KEY—”
and ends with the following tag: “—END RSA PRIVATE KEY—”

A KEY file looks something like this:

-----BEGIN RSA PRIVATE KEY-----
(Your Private Key: private.key)
-----END RSA PRIVATE KEY-----

Here’s a link for working with openSSL:

Some sample openssl commands are:

#Generate a new private key and Certificate Signing Request
openssl req -out request.csr -new -newkey rsa:2048 -nodes -keyout private.key

# Check a private key
openssl rsa -in private.key -check

#Remove a passphrase from a private key
openssl rsa -in privatekey.pem -out newprivatekey.pem

# Extract a private key from a PKCS#12 file (.pfx .p12)
openssl pkcs12 -in certStore.pfx -out privatekey.pem -nodes -nocerts

Note: Windows does not offer a mechanism to extract only the private key from a certificate, but tools like openSSL do allow the extraction of only the key from a certificate.

 

Base64-encoded certificate (.crt)

A single certificate can be stored in a Base64-encoded PEM format(.crt) file that can be viewed with a standard editor.

A CRT file starts with the following tag: “—BEGIN CERTIFICATE—”
and ends with the following tag: “—END CERTIFICATE—”

A CRT file looks something like this:

-----BEGIN CERTIFICATE-----
(Your Primary SSL certificate: certificate.crt)
-----END CERTIFICATE-----

Here’s a link for working with openSSL:

Some sample openssl commands are:

# View a PEM encoded certificate
openssl x509 -in certificate.crt -text -noout

 

DER-encoded certificate (.der)

A single certificate can also be stored in a DER-encoded (.der) file. Unfortunate these files cannot be viewed with a standard text editor. You can however use a tool like openSSL to convert the output to a readable format and view the certificate.

Here’s a link for working with openSSL:

Some sample openssl commands are:

# View a DER encoded certificate
openssl x509 -in certificate.der -inform der -text -noout

# Convert a DER file to PEM
openssl x509 -inform der -in certificate.der -out certificate.pem

Note: Keep in mind that Microsoft uses the .cer file extension for both Base64-encoded certificates and DER-encoded certificates.

 

PEM Base64-encoded Certificate Store (.pem)

You can store multiple certificates into a Base64-encoded certificate store. Usually these files are carrying a .pem file extension. A PEM file can be viewed with a standard editor and can carry any combination of the private key, certificate, intermediate certificate and root certificate, enclosed with the corresponding tags

A PEM file starts with the following tag: “—BEGIN CERTIFICATE—”
and ends with the following tag: “—END CERTIFICATE—”

A PEM file looks something like this:

-----BEGIN RSA PRIVATE KEY-----
(Your Private Key: your_domain_name.key)
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
(Your Primary SSL certificate: your_domain_name.crt)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Your Intermediate certificate: DigiCertCA.crt)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Your Root certificate: TrustedRoot.crt)
-----END CERTIFICATE-----

Here’s a link from DigiCert to manually create a PEM file:

Some sample openssl commands are:

# View a PEM encoded certificate
openssl x509 -in certificate.crt -text -noout

# Convert a PEM file to DER
openssl x509 -outform der -in certificate.pem -out certificate.der

# Convert a PEM certificate file and a private key to PKCS#12
openssl pkcs12 -export -out certificate.pfx -inkey private.key -in certificate.crt -certfile CAcertificate.crt

Note: When adding multiple certificates to a PEM file, ensure you are listing the certificates in the certificate chain order. Starting with the primairy SSL certificate, followed by the linked intermediate certificate which in turn is followed by its linked root certificate, as explained by DigiCert here

 

Cryptographic Message Syntax Standard (PKCS#7) Certificate Store(.p7b)

The PKCS#7 format allows the storage of multiple certificates into a single file. It is generally used by public Certificate Authorities to provide certificate chains containing the intermediate and root certificates to clients without the need to share private keys. A PKCS#7 file does not store private keys.

 

Personal Information Exchange Format (PKCS#12) Certificate Store (.pfx or .p12)

The PKCS#12 format allows the secure storage of multiple certificates into a single file, protected with a password-based symmetric key. A PKCS#12 file includes both the certificates and the private key for the certificates and should be handled with care. The PKCS#12 format is commonly used by Certificate Authorities for a requested SSL certificate and should be stored in a safe place. Make sure the password for the file is stored in a safe place as well. A PKCS#12 should not be used to share the certificate with third parties as it does contains the private key. To share the certificate without a private key you should convert the file to a format that does not store the private key (a sample openssl command is included below).

Here’s a link for working with openSSL:

Some sample openssl commands are:

# Check a PKCS#12 file
openssl pkcs12 -info -in certstore.pfx

# Convert a PKCS#12 file containing a private key and certificates to PEM
openssl pkcs12 -in certStore.pfx -out certStore.pem -nodes

# Export only the private key from a PKCS#12 file
openssl pkcs12 -in certStore.pfx -out privatekey.pem -nodes -nocerts

#Export only the certificates from the PKCS#12 file
openssl pkcs12 -in certStore.pfx -out certStore.pem -nodes -nokeys

Note: Even though a PEM file can hold multiple certificates and the private key, the PKCS#12 format is the only file format that can be used to export a certificate and its private key.

 

 

You might also like
Adding SSL certificates on the NetScaler
Office Communicator removes root ssl certificates