证书和编码 / Certificates and Encodings
从本质上讲,X.509 证书是根据 RFC 5280 进行编码和/或数字签名的数字文档。
At its core an X.509 certificate is a digital document that has been encoded and/or digitally signed according to RFC 5280.
实际上,X.509证书这个术语通常指的是IETF的PKIX证书和X.509 v3证书标准的CRL配置文件,如RFC 5280中所规定的,通常被称为PKIX(公钥基础设施X.509)。
In fact, the term X.509 certificate usually refers to the IETF’s PKIX Certificate and CRL Profile of the X.509 v3 certificate standard, as specified in RFC 5280, commonly referred to as PKIX for Public Key Infrastructure (X.509).
X509 文件扩展名 / X509 File Extensions
我们首先需要理解的是每种文件扩展名的类型。关于 DER、PEM、CRT 和 CER 是什么存在很多困惑,许多人错误地认为它们都可以互换使用。虽然在某些情况下有些可以互换,但最佳实践是识别证书的编码方式,然后正确标记它。正确标记的证书将更容易操作。
The first thing we have to understand is what each type of file extension is. There is a lot of confusion about what DER, PEM, CRT, and CER are and many have incorrectly said that they are all interchangeable. While in certain cases some can be interchanged the best practice is to identify how your certificate is encoded and then label it correctly. Correctly labeled certificates will be much easier to manipulate.
编码(也用作扩展名)/ Encodings (also used as extensions)
.DER = DER 扩展名用于二进制 DER 编码的证书。这些文件也可能带有 CER 或 CRT 扩展名。正确的英语用法应该是”我有一个 DER 编码的证书”而不是”我有一个 DER 证书”。
.DER = The DER extension is used for binary DER encoded certificates. These files may also bear the CER or the CRT extension. Proper English usage would be “I have a DER encoded certificate” not “I have a DER certificate”.
.PEM = PEM扩展名用于不同类型的X.509v3 文件,这些文件包含以”—– BEGIN …”行为前缀的 ASCII(Base64)装甲数据。
.PEM = The PEM extension is used for different types of X.509v3 files which contain ASCII (Base64) armored data prefixed with a ”—– BEGIN …” line.
常见扩展名 / Common Extensions
.CRT(证书) = CRT 扩展名用于证书。证书可以编码为二进制 DER 或 ASCII PEM。CER 和 CRT 扩展名几乎是同义的。在*nix 系统中最常见。
.CRT(certificate) = The CRT extension is used for certificates. The certificates may be encoded as binary DER or as ASCII PEM. The CER and CRT extensions are nearly synonymous. Most common among *nix systems.
.CER(证书) = .crt 的替代形式(微软约定)。您可以使用 MS 将.crt 转换为.cer(DER 编码的.cer 或 base64[PEM]编码的.cer)。IE 也识别.cer 文件扩展名作为运行 MS cryptoAPI 命令的指令(具体是 rundll32.exe cryptext.dll,CryptExtOpenCER),该命令显示用于导入和/或查看证书内容的对话框。
.CER(certificate) = alternate form of .crt (Microsoft Convention) You can use MS to convert .crt to .cer (.both DER encoded .cer, or base64[PEM] encoded .cer) The .cer file extension is also recognized by IE as a command to run a MS cryptoAPI command (specifically rundll32.exe cryptext.dll,CryptExtOpenCER) which displays a dialogue for importing and/or viewing certificate contents.
.KEY = KEY扩展名用于公钥和私钥PKCS#8密钥 。密钥可以编码为二进制 DER 或 ASCII PEM。
.KEY = The KEY extension is used both for public and private PKCS#8 keys. The keys may be encoded as binary DER or as ASCII PEM.
只有当编码类型相同时,CRT 和 CER 才能安全地互换使用。(即 PEM 编码的 CRT = PEM 编码的 CER)
The only time CRT and CER can safely be interchanged is when the encoding type can be identical. (ie PEM encoded CRT = PEM encoded CER)
常见的 OpenSSL 证书操作 / Common OpenSSL Certificate Manipulations
有四种基本类型的证书操作:查看、转换、组合和提取。
There are four basic types of certificate manipulations. View, Transform, Combination, and Extraction.
查看 / View
尽管 PEM 编码的证书是 ASCII 格式,但它们不是人类可读的。以下是一些让您以人类可读形式输出证书内容的命令:
Even though PEM encoded certificates are ASCII they are not human readable. Here are some commands that will let you output the contents of a certificate in human readable form;
查看 PEM 编码证书 / View PEM encoded certificate
使用具有证书扩展名的命令,将 cert.xxx 替换为您的证书名称:
Use the command that has the extension of your certificate replacing cert.xxx with the name of your certificate:
openssl x509 -in cert.pem -text -noout
openssl x509 -in cert.cer -text -noout
openssl x509 -in cert.crt -text -noout如果您收到以下错误,这意味着您正在尝试查看 DER 编码的证书,需要使用下面”查看 DER 编码证书”中的命令:
If you get the following error it means that you are trying to view a DER encoded certificate and need to use the commands in the “View DER encoded certificate below”:
unable to load certificate
12626:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:647:Expecting: TRUSTED CERTIFICATE
查看 DER 编码证书 / View DER encoded Certificate
openssl x509 -in certificate.der -inform der -text -noout如果您收到以下错误,这意味着您正在尝试使用用于 DER 编码证书的命令查看 PEM 编码证书。请使用上面”查看 PEM 编码证书”中的命令:
If you get the following error it means that you are trying to view a PEM encoded certificate with a command meant for DER encoded certs. Use a command in the “View PEM encoded certificate above”:
unable to load certificate
13978:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1306:
13978:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:380:Type=X509
转换 / Transform
转换可以将一种类型的编码证书转换为另一种。(即 PEM 到 DER 转换)
Transforms can take one type of encoded certificate to another. (ie. PEM To DER conversion)
PEM 到 DER / PEM to DER
openssl x509 -in cert.crt -outform der -out cert.derDER 到 PEM / DER to PEM
openssl x509 -in cert.crt -inform der -outform pem -out cert.pem组合 / Combination
在某些情况下,将X.509 基础设施的多个部分组合到单个文件中是有利的。一个常见的例子是将私钥和公钥组合到同一个证书中。
In some cases it is advantageous to combine multiple pieces of the X.509 infrastructure into a single file. One common example would be to combine both the private key and public key into the same certificate.
组合证书、密钥和链的最简单方法是将每个转换为 PEM 编码证书,然后简单地将每个文件的内容复制到新文件中。这适用于组合文件以在 Apache 等应用程序中使用。
The easiest way to combine certs keys and chains is to convert each to a PEM encoded certificate then simple copy the contents of each file into a new file. This is suitable for combining files to use in applications like Apache.
提取 / Extraction
一些证书会以组合形式出现。一个文件可以包含以下任何一项:证书、私钥、公钥、签名证书、证书颁发机构(CA)和/或权威链。
Some certs will come in a combined form. Where one file can contain any one of: Certificate, Private Key, Public Key, Signed Certificate, Certificate Authority (CA), and/or Authority Chain.