$ openssl x509 -in server-cert.der -inform DER -out server-cert.pem -outform PEM
Dateiendungen bei Zertifikaten sind nicht vorgegeben und spezifizieren nur die Kodierung. Ob es sich dabei um ein Zertifikat, eine Zertifikatsanfrage, oder ein Schlüssel handelt, muss man über den Dateinamen zu erkennen geben.
DER / CRT
Zertifikate:
RSA-Schlüssel:
$ openssl rsa -in server-key.der -inform DER -out server-key.pem -outform PEM
PEM
Zertifikate:
$ openssl x509 -in server-cert.der -inform PEM -out server-cert.pem -outform DER
RSA-Schlüssel:
$ openssl rsa -in server-key.der -inform PEM -out server-key.pem -outform DER
PKCS12
PKCS12 ist ein Containerformat welches Zertifikate und Schlüssel beinhalten kann. Zum Trennen in die Bestandteile:
Client-Zertifikat extrahieren:
$ openssl pkcs12 -clcerts -nokeys -in test-client1-ca-2019.p12 -out test-client1-ca-2019-cert.pem Enter Import Password:
$ head -n 8 tests/conf/test-client1-ca-2019-cert.pem Bag Attributes localKeyID: 55 84 55 EC 44 16 9E B8 05 AE 9B EB C7 BB 55 D5 B2 AC A6 C1 subject=C = DE, O = Testinstallation Eins CA, CN = PN: Teilnehmerservice Test RAID 60
issuer=C = DE, O = Test, CN = Test Client 1 Issuing CA
-----BEGIN CERTIFICATE----- MIIFJjCCBA6gAwIBAgIMIX3zIme/leh2t+pTMA0GCSqGSIb3DQEBCwUAMD8xCzAJ
Zertifikatskette extrahieren:
$ openssl pkcs12 -cacerts -nokeys -in test-client1-ca-2019.p12 -out test-client1-ca-2019-chain.pem Enter Import Password:
$ grep "subject" tests/conf/test-client1-ca-2019-chain.pem subject=C = DE, O = Test, CN = Test Client 1 Issuing CA subject=C = DE, O = Test, CN = Test Intermediate CA subject=C = DE, O = Test, CN = Test Root CA
Der Schlüssel ist mit einem Kennwort geschützt, welches in einem zusätzlichen Schritt entfernt werden kann:
$ openssl pkcs12 -nocerts -in test-client1-ca-2019.p12 -out test-client1-ca-2019-key.pem Enter Import Password: Enter PEM pass phrase: Verifying - Enter PEM pass phrase:
$ head -n 5 test-client1-ca-2019-key.peme
Bag Attributes
localKeyID: 55 84 55 EC 44 16 9E B8 05 AE 9B EB C7 BB 55 D5 B2 AC A6 C1
Key Attributes: <No Attributes>
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIFHDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQIFa7SsLOW2rMCAggA
RSA
Schlüssel-Kennwortschutz entfernen:
$ openssl rsa -in test-client1-ca-2019-key.peme -out test-client1-ca-2019-key.pem Enter pass phrase for test-client1-ca-2019-key.peme: writing RSA key
$ head -n 2 tests/conf/test-client1-ca-2019-key.pem -----BEGIN RSA PRIVATE KEY----- MIIEowIBAAKCAQEAzchh+cIkhmx9cQHg+CcqKPo6/8OYi7wmL+japhJQ6CKtZCcO
X.509
Zertifikatsinformationen anzeigen:
$ openssl x509 -in server-cert.pem -inform PEM -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
23:3e:03:59:e4:c7:55:e7:28:59:42:2b
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = DE, O = Verein zur Foerderung eines Deutschen Forschungsnetzes e. V., OU = DFN-PKI, CN =
DFN-Verein Global Issuing CA
Validity
Not Before: Jul 27 07:44:11 2020 GMT
Not After : Oct 29 07:44:11 2022 GMT
Subject: C = DE, ST = Niedersachsen, L = Hannover, O = Leibniz Universitaet Hannover, OU = Leibniz
Universitaet Hannover IT Services, CN = www.luis.uni-hannover.de
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:ce:e3:a1:c4:f1:e5:71:02:6a:3e:15:5b:2b:c3:
...
24:23
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Certificate Policies:
Policy: 2.23.140.1.2.2
Policy: 1.3.6.1.4.1.22177.300.30
Policy: 1.3.6.1.4.1.22177.300.1.1.4
Policy: 1.3.6.1.4.1.22177.300.1.1.4.7
Policy: 1.3.6.1.4.1.22177.300.2.1.4.7
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 Subject Key Identifier:
AF:7E:23:0B:1B:8F:BC:95:B9:15:50:7F:23:78:9F:F0:00:6C:9B:7F
X509v3 Authority Key Identifier:
keyid:6B:3A:98:8B:F9:F2:53:89:DA:E0:AD:B2:32:1E:09:1F:E8:AA:3B:74 X509v3 Subject Alternative Name:
DNS:www.luis.uni-hannover.de, DNS:luis.uni-hannover.de, DNS:www.rrzn.uni-hannover.de,
DNS:rrzn.uni-hannover.de, DNS:www.rrzn-handbuecher.de, DNS:rrzn-handbuecher.de
X509v3 CRL Distribution Points: Full Name:
URI:http://cdp1.pca.dfn.de/dfn-ca-global-g2/pub/crl/cacrl.crl Full Name:
URI:http://cdp2.pca.dfn.de/dfn-ca-global-g2/pub/crl/cacrl.crl Authority Information Access:
OCSP - URI:http://ocsp.pca.dfn.de/OCSP-Server/OCSP
CA Issuers - URI:http://cdp1.pca.dfn.de/dfn-ca-global-g2/pub/cacert/cacert.crt
CA Issuers - URI:http://cdp2.pca.dfn.de/dfn-ca-global-g2/pub/cacert/cacert.crt
CT Precertificate SCTs:
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : 46:A5:55:EB:75:FA:91:20:30:B5:A2:89:69:F4:F3:7D:
11:2C:41:74:BE:FD:49:B8:85:AB:F2:FC:70:FE:6D:47
Timestamp : Jul 27 07:44:14.364 2020 GMT
Extensions : none
Signature : ecdsa-with-SHA256
30:46:02:21:00:8E:8B:B7:1B:06:72:82:92:5E:6E:8C:
98:18:3E:F2:28:6D:9F:84:68:95:2E:AF:BD:EB:AE:1E:
A1:07:28:20:C1:02:21:00:AB:88:B3:F4:3A:84:F5:45:
AA:23:A4:20:D4:9A:3C:13:BE:13:A7:AC:39:13:46:E5:
65:BA:E0:31:88:03:6C:E4
...
Signature Algorithm: sha256WithRSAEncryption
74:f5:68:24:28:a6:67:86:b6:52:b1:4d:f4:15:ca:8f:33:e7:
...
24:ab:8a:ab
-----BEGIN CERTIFICATE-----
Kontakt
Zertifikatsteam des LUIS
Zertifikatsteam des LUIS