Zertifikatskonvertierungen

Dateiendungen bei Zertifikaten sind nicht vorgegeben und spezifizieren nur die Kodierung. Ob es sich dabei um ein Zertifikat, eine Zertifikatsanfrage, oder ein Schlüssel handelt, muss man über den Dateinamen zu erkennen geben.

DER / CRT

Zertifikate:

$ openssl x509 -in server-cert.der -inform DER -out server-cert.pem -outform PEM

RSA-Schlüssel:

$ openssl rsa -in server-key.der -inform DER -out server-key.pem -outform PEM

PEM

Zertifikate:

$ openssl x509 -in server-cert.der -inform PEM -out server-cert.pem -outform DER

RSA-Schlüssel:

$ openssl rsa -in server-key.der -inform PEM -out server-key.pem -outform DER

PKCS12

PKCS12 ist ein Containerformat welches Zertifikate und Schlüssel beinhalten kann. Zum Trennen in die Bestandteile:

Client-Zertifikat extrahieren:

$ openssl pkcs12 -clcerts -nokeys -in test-client1-ca-2019.p12 -out test-client1-ca-2019-cert.pem
Enter Import Password:
$ head -n 8 tests/conf/test-client1-ca-2019-cert.pem
Bag Attributes
localKeyID: 55 84 55 EC 44 16 9E B8 05 AE 9B EB C7 BB 55 D5 B2 AC A6 C1
subject=C = DE, O = Testinstallation Eins CA, CN = PN: Teilnehmerservice Test RAID 60
issuer=C = DE, O = Test, CN = Test Client 1 Issuing CA
-----BEGIN CERTIFICATE-----
MIIFJjCCBA6gAwIBAgIMIX3zIme/leh2t+pTMA0GCSqGSIb3DQEBCwUAMD8xCzAJ

Zertifikatskette extrahieren:

$ openssl pkcs12 -cacerts -nokeys -in test-client1-ca-2019.p12 -out test-client1-ca-2019-chain.pem
Enter Import Password:
$ grep "subject" tests/conf/test-client1-ca-2019-chain.pem
subject=C = DE, O = Test, CN = Test Client 1 Issuing CA
subject=C = DE, O = Test, CN = Test Intermediate CA
subject=C = DE, O = Test, CN = Test Root CA

Der Schlüssel ist mit einem Kennwort geschützt, welches in einem zusätzlichen Schritt entfernt werden kann:

$ openssl pkcs12 -nocerts -in test-client1-ca-2019.p12 -out test-client1-ca-2019-key.pem
Enter Import Password:
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
$ head -n 5 test-client1-ca-2019-key.peme
Bag Attributes
    localKeyID: 55 84 55 EC 44 16 9E B8 05 AE 9B EB C7 BB 55 D5 B2 AC A6 C1
Key Attributes: <No Attributes>
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIFHDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQIFa7SsLOW2rMCAggA

RSA

Schlüssel-Kennwortschutz entfernen:

$ openssl rsa -in test-client1-ca-2019-key.peme -out test-client1-ca-2019-key.pem
Enter pass phrase for test-client1-ca-2019-key.peme:
writing RSA key
$ head -n 2 tests/conf/test-client1-ca-2019-key.pem
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAzchh+cIkhmx9cQHg+CcqKPo6/8OYi7wmL+japhJQ6CKtZCcO

X.509

Zertifikatsinformationen anzeigen:

$ openssl x509 -in server-cert.pem -inform PEM -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            23:3e:03:59:e4:c7:55:e7:28:59:42:2b
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = DE, O = Verein zur Foerderung eines Deutschen Forschungsnetzes e. V., OU = DFN-PKI, CN =
DFN-Verein Global Issuing CA
        Validity
            Not Before: Jul 27 07:44:11 2020 GMT
            Not After : Oct 29 07:44:11 2022 GMT
        Subject: C = DE, ST = Niedersachsen, L = Hannover, O = Leibniz Universitaet Hannover, OU = Leibniz
Universitaet Hannover IT Services, CN = www.luis.uni-hannover.de
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:ce:e3:a1:c4:f1:e5:71:02:6a:3e:15:5b:2b:c3:
...
                    24:23
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Certificate Policies:
                Policy: 2.23.140.1.2.2
                Policy: 1.3.6.1.4.1.22177.300.30
                Policy: 1.3.6.1.4.1.22177.300.1.1.4
                Policy: 1.3.6.1.4.1.22177.300.1.1.4.7
                Policy: 1.3.6.1.4.1.22177.300.2.1.4.7
        X509v3 Basic Constraints:
            CA:FALSE
        X509v3 Key Usage: critical
            Digital Signature, Key Encipherment
        X509v3 Extended Key Usage:
            TLS Web Server Authentication
        X509v3 Subject Key Identifier:
            AF:7E:23:0B:1B:8F:BC:95:B9:15:50:7F:23:78:9F:F0:00:6C:9B:7F
        X509v3 Authority Key Identifier:
            keyid:6B:3A:98:8B:F9:F2:53:89:DA:E0:AD:B2:32:1E:09:1F:E8:AA:3B:74
        X509v3 Subject Alternative Name:
            DNS:www.luis.uni-hannover.de, DNS:luis.uni-hannover.de, DNS:www.rrzn.uni-hannover.de,
DNS:rrzn.uni-hannover.de, DNS:www.rrzn-handbuecher.de, DNS:rrzn-handbuecher.de
        X509v3 CRL Distribution Points:
            Full Name:
                URI:http://cdp1.pca.dfn.de/dfn-ca-global-g2/pub/crl/cacrl.crl
            Full Name:
                URI:http://cdp2.pca.dfn.de/dfn-ca-global-g2/pub/crl/cacrl.crl
        Authority Information Access:
            OCSP - URI:http://ocsp.pca.dfn.de/OCSP-Server/OCSP
            CA Issuers - URI:http://cdp1.pca.dfn.de/dfn-ca-global-g2/pub/cacert/cacert.crt
            CA Issuers - URI:http://cdp2.pca.dfn.de/dfn-ca-global-g2/pub/cacert/cacert.crt
        
        CT Precertificate SCTs:
            Signed Certificate Timestamp:
                Version    : v1 (0x0)
                Log ID     : 46:A5:55:EB:75:FA:91:20:30:B5:A2:89:69:F4:F3:7D:
                             11:2C:41:74:BE:FD:49:B8:85:AB:F2:FC:70:FE:6D:47
                Timestamp  : Jul 27 07:44:14.364 2020 GMT
                Extensions : none
                Signature  : ecdsa-with-SHA256
                             30:46:02:21:00:8E:8B:B7:1B:06:72:82:92:5E:6E:8C:
                             98:18:3E:F2:28:6D:9F:84:68:95:2E:AF:BD:EB:AE:1E:
                             A1:07:28:20:C1:02:21:00:AB:88:B3:F4:3A:84:F5:45:
                             AA:23:A4:20:D4:9A:3C:13:BE:13:A7:AC:39:13:46:E5:
                             65:BA:E0:31:88:03:6C:E4
...
    Signature Algorithm: sha256WithRSAEncryption
        74:f5:68:24:28:a6:67:86:b6:52:b1:4d:f4:15:ca:8f:33:e7:
...
        24:ab:8a:ab
-----BEGIN CERTIFICATE-----

KONTAKT

Zertifikatsteam des LUIS
Zertifikatsteam des LUIS