This blogpost is also posted on the PepperCrew website.
Using SSL certificates to secure website communications is more and more a standard procedure. Even internal websites are relying more and more on public or private PKI infrastructure and Certificate Authorities. And as each certificate is only valid for a limited period of time, you’ll find yourself renewing more and more certificates on a yearly basis. So let’s check out the different file extensions we are facing when working with certificates.
Certificate Signing Request (.csr)
The life cycle of a certificate starts by creating a certificate signing request (.csr) file that needs to be sent to and processed by a Certificate Authority (CA). Most CSRs are created in the Base-64 encoded PEM format, which can be viewed in a standard editor. The PEM format stores the request information between special tags.
A CSR file starts with the following tag: “—BEGIN NEW CERTIFICATE REQUEST—”
and ends with the following tag: “—END NEW CERTIFICATE REQUEST—“
A CSR file looks something like this:
-----BEGIN NEW CERTIFICATE REQUEST----- (Your Certificate Signing Request: request.csr) -----END NEW CERTIFICATE REQUEST-----
Most public Certificate Authorities and vendors provide guides for creating a certificate signing request with Microsoft’s IIS, Citrix NetScaler or Linux. Here are some links to different guides:
- DigiCert: Create a CSR (Certificate Signing Request)
- Citrix: Creating a Certificate Signing Request on the NetScaler Gateway 10.5
- Rackspace: Generate a CSR with OpenSSL
To create a Certificate Signing Request you can also use a commandline tool like openssl which is available for both Linux and Windows. Some sample openssl commands for CSRs are:
# Generate a new private key and certificate signing request: openssl req -out request.csr -new -newkey rsa:2048 -nodes -keyout private.key # Generate a certificate signing request for an existing private key openssl req -out request.csr -key private.key -new # Check a certificate signing request openssl req -in request.csr -text -noout -verify
A big thanx to Barry Schiffer for pointing out that due to the way Microsoft’s IIS handles certificate requests I made the assumption that all certificates start with the request. All certificates however do start with the creation of the private key, which needs to exist (and thus be created first) before a request is generated. Using IIS, the private key is automatically generated for you by IIS during the Certificate Signing Request. This gives you less control over your private key.
Private key (.key)
The private key for a certificate can be stored in a private key (.key) file. Most KEY files are stored in the Base64-encoded PEM format and can be viewed with a standard text editor
A KEY file starts with the following tag: “—BEGIN RSA PRIVATE KEY—”
and ends with the following tag: “—END RSA PRIVATE KEY—“
A KEY file looks something like this:
-----BEGIN RSA PRIVATE KEY----- (Your Private Key: private.key) -----END RSA PRIVATE KEY-----
Here’s a link for working with openSSL:
Some sample openssl commands are:
#Generate a new private key and Certificate Signing Request openssl req -out request.csr -new -newkey rsa:2048 -nodes -keyout private.key # Check a private key openssl rsa -in private.key -check #Remove a passphrase from a private key openssl rsa -in privatekey.pem -out newprivatekey.pem # Extract a private key from a PKCS#12 file (.pfx .p12) openssl pkcs12 -in certStore.pfx -out privatekey.pem -nodes -nocerts
Windows does not offer a mechanism to extract only the private key from a certificate, but tools like openSSL do allow the extraction of only the key from a certificate.
Base64-encoded certificate (.crt)
A single certificate can be stored in a Base64-encoded PEM format(.crt) file that can be viewed with a standard editor.
A CRT file starts with the following tag: “—BEGIN CERTIFICATE—”
and ends with the following tag: “—END CERTIFICATE—“
A CRT file looks something like this:
-----BEGIN CERTIFICATE----- (Your Primary SSL certificate: certificate.crt) -----END CERTIFICATE-----
Here’s a link for working with openSSL:
Some sample openssl commands are:
# View a PEM encoded certificate openssl x509 -in certificate.crt -text -noout
DER-encoded certificate (.der)
A single certificate can also be stored in a DER-encoded (.der) file. Unfortunate these files cannot be viewed with a standard text editor. You can however use a tool like openSSL to convert the output to a readable format and view the certificate.
Here’s a link for working with openSSL:
Some sample openssl commands are:
# View a DER encoded certificate openssl x509 -in certificate.der -inform der -text -noout # Convert a DER file to PEM openssl x509 -inform der -in certificate.der -out certificate.pem
Keep in mind that Microsoft uses the .cer file extension for both Base64-encoded certificates and DER-encoded certificates.
PEM Base64-encoded Certificate Store (.pem)
You can store multiple certificates into a Base64-encoded certificate store. Usually these files are carrying a .pem file extension. A PEM file can be viewed with a standard editor and can carry any combination of the private key, certificate, intermediate certificate and root certificate, enclosed with the corresponding tags
A PEM file starts with the following tag: “—BEGIN CERTIFICATE—”
and ends with the following tag: “—END CERTIFICATE—“
A PEM file looks something like this:
-----BEGIN RSA PRIVATE KEY----- (Your Private Key: your_domain_name.key) -----END RSA PRIVATE KEY----- -----BEGIN CERTIFICATE----- (Your Primary SSL certificate: your_domain_name.crt) -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- (Your Intermediate certificate: DigiCertCA.crt) -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- (Your Root certificate: TrustedRoot.crt) -----END CERTIFICATE-----
Here’s a link from DigiCert to manually create a PEM file:
Some sample openssl commands are:
# View a PEM encoded certificate openssl x509 -in certificate.crt -text -noout # Convert a PEM file to DER openssl x509 -outform der -in certificate.pem -out certificate.der # Convert a PEM certificate file and a private key to PKCS#12 openssl pkcs12 -export -out certificate.pfx -inkey private.key -in certificate.crt -certfile CAcertificate.crt
When adding multiple certificates to a PEM file, ensure you are listing the certificates in the certificate chain order. Starting with the primairy SSL certificate, followed by the linked intermediate certificate which in turn is followed by its linked root certificate, as explained by DigiCert here
Cryptographic Message Syntax Standard (PKCS#7) Certificate Store(.p7b)
The PKCS#7 format allows the storage of multiple certificates into a single file. It is generally used by public Certificate Authorities to provide certificate chains containing the intermediate and root certificates to clients without the need to share private keys. A PKCS#7 file does not store private keys.
Personal Information Exchange Format (PKCS#12) Certificate Store (.pfx or .p12)
The PKCS#12 format allows the secure storage of multiple certificates into a single file, protected with a password-based symmetric key. A PKCS#12 file includes both the certificates and the private key for the certificates and should be handled with care. The PKCS#12 format is commonly used by Certificate Authorities for a requested SSL certificate and should be stored in a safe place. Make sure the password for the file is stored in a safe place as well. A PKCS#12 should not be used to share the certificate with third parties as it does contains the private key. To share the certificate without a private key you should convert the file to a format that does not store the private key (a sample openssl command is included below).
Here’s a link for working with openSSL:
Some sample openssl commands are:
# Check a PKCS#12 file openssl pkcs12 -info -in certstore.pfx # Convert a PKCS#12 file containing a private key and certificates to PEM openssl pkcs12 -in certStore.pfx -out certStore.pem -nodes # Export only the private key from a PKCS#12 file openssl pkcs12 -in certStore.pfx -out privatekey.pem -nodes -nocerts #Export only the certificates from the PKCS#12 file openssl pkcs12 -in certStore.pfx -out certStore.pem -nodes -nokeys
Even though a PEM file can hold multiple certificates and the private key, the PKCS#12 format is the only file format that can be used to export a certificate and its private key.
The following sources have been used to create this post:
Various SSL/TLS Certificate File Types/Extensions
DER vs. CRT vs. CER vs. PEM Certificates and How To Convert Them
The Most Common OpenSSL Commands
Esther has been working in different roles and functions as an IT consultant ever since she finished her Masters degree in Computer Science in 1997. She has worked as a web developer, database administrator, and server administrator until she discovered how Server-Based Computing ( SBC ) combined servers, desktops, and user experience in one solution. Esther has been specializing in virtualization solutions such as SBC, VDI, application, and server virtualization for over eight years now and is currently working as a Senior Consultant at PepperByte, where she designs and implements Citrix® solutions for both small-business and large-enterprise infrastructures scaling from 100 to 15,000 users.
In january 2014 her first book Citrix XenApp 6.5 Expert Cookbook was published by Packt Publishing.
Esther is awarded as a Citrix Technology Professional (CTP) from 2015 - 2017.
Esther is awarded as a Microsoft Most Valuable Professional (MVP) in 2017.
Esther is a Citrix Certified Expert – Virtualization (CCE-V), Citrix Certified Professional – Mobility (CCP-M), Citrix Certified Professional – Networking (CCP-N) and RES Software Certified Professional (RCP).
Hi Esther.
Thanks for the blog. I like to read the SSL/TLS related stuff.
It’s good that you list these commands in one place.
Two nits:
1) PFX not a cert.
PFX is not a certificate. I’d call it a certificate archive. Like a ZIP file for certificates maybe.
Suggested edit:
Text reads:
Windows does not offer a mechanism to extract only the private key from a certificate, but tools like openSSL do allow the extraction of only the key from a certificate.
-> Text should read:
Windows does not offer a mechanism to extract only the private key from a PKCS #12 PFX file, but tools like OpenSSL do allow the extraction of only the key from a PKCS #12 PFX file.
2) Windows vs. PEM-bundles
Suggested edit:
Maybe add a warning to the section “PEM Base64-encoded Certificate Store (.pem)”.
Like so:
This is a format that is more usual on OpenSSL/Linux based systems. Windows can’t handle it. Instead Windows will only display the top most entry. And it will give you no hint whatsoever that there are more entries inside that file.
Kind regards from Kassel, Germany,
Hendrik
Hi Hendrik,
I’m glad you enjoyed the blogpost and I appreciated the extra explanation of the pfx certificate archive. I’ll edit the blogpost this weekend and take your suggestions into account.
Cheers,
Esther
Pingback: HowTo: Importing SSL Certificates on the NetScaler | virtuEs.IT
Pingback: HowTo: Create self-signed certificates with MakeCert | virtuEs.IT