29 March 2018

Certificates Keystore SSL "Cheat Sheet"

How To Create a Java Keystore via Keytool in FMW 11g/12c (Doc ID 1230333.1)

Configuring Oracle WebLogic Server (10.3.x - 12.1.x) to use SSL in Fusion Middleware 11g/12c (Doc ID 1235653.1)

https://docs.oracle.com/cd/E11035_01/wls100/secmanage/identity_trust.html#wp1196290

https://blogs.oracle.com/blogbypuneeth/steps-to-create-a-self-signed-certificate-and-configure-custom-identity-and-custom-trust-with-weblogic-server-using-keytool

http://kingsfleet.blogspot.cl/2008/11/using-demoidentity-and-demotrust.html
(passwords)

http://one-size-doesnt-fit-all.blogspot.cl/2009/09/weblogic-server-identity-vs-trust.html

https://www.digitalocean.com/community/tutorials/java-keytool-essentials-working-with-java-keystores

https://www.sslshopper.com/article-most-common-java-keytool-keystore-commands.html

https://blogs.oracle.com/blogbypuneeth/steps-to-create-a-self-signed-certificate-and-configure-custom-identity-and-custom-trust-with-weblogic-server-using-keytool

https://support.ssl.com/Knowledgebase/Article/View/19/0/der-vs-crt-vs-cer-vs-pem-certificates-and-how-to-convert-them

X509 File Extensions

The first thing we have to understand is what each type of file extension is.   There is a lot of confusion about what DER, PEM, CRT, and CER are and many have incorrectly said that they are all interchangeable.  While in certain cases some can be interchanged the best practice is to identify how your certificate is encoded and then label it correctly.  Correctly labeled certificates will be much easier to manipulat

Encodings (also used as extensions)

  • .DER = The DER extension is used for binary DER encoded certificates. These files may also bear the CER or the CRT extension.   Proper English usage would be “I have a DER encoded certificate” not “I have a DER certificate”.
  • .PEM = The PEM extension is used for different types of X.509v3 files which contain ASCII (Base64) armored data prefixed with a “—– BEGIN …” line.

Common Extensions

  • .CRT = The CRT extension is used for certificates. The certificates may be encoded as binary DER or as ASCII PEM. The CER and CRT extensions are nearly synonymous.  Most common among *nix systems
  • CER = alternate form of .crt (Microsoft Convention) You can use MS to convert .crt to .cer (.both DER encoded .cer, or base64[PEM] encoded .cer)  The .cer file extension is also recognized by IE as a command to run a MS cryptoAPI command (specifically rundll32.exe cryptext.dll,CryptExtOpenCER) which displays a dialogue for importing and/or viewing certificate contents.
  • .KEY = The KEY extension is used both for public and private PKCS#8 keys. The keys may be encoded as binary DER or as ASCII PEM.
The only time CRT and CER can safely be interchanged is when the encoding type can be identical.  (ie  PEM encoded CRT = PEM encoded CER)

-------------------------------------------------------------------------------------------

openssl x509 -in ca.cer -inform der -text -noout

https://support.ssl.com/Knowledgebase/Article/View/19/0/der-vs-crt-vs-cer-vs-pem-certificates-and-how-to-convert-them

openssl x509 -in ca.pem -text -noout


Conversion of DER (.crt .cer or .der) to PEM:

openssl x509 -inform der -in certificate.cer -out certificate.pem
openssl x509 -inform der -in intermediate.cer -out certificate.pem



View a PEM-encoded certificate:

openssl x509 -noout -text -in certificate.pem

------------

openssl req -in ca.cer -text

To show the content of a certificate use

openssl x509 -in ca.cer -text

---

openssl x509 -in ca.pem -noout -issuer_hash

Blog Archive

Disclaimer

The views expressed on this blog are my own and do not necessarily reflect the views of Oracle.