将SSL证书转换为.pem格式 [英] Converting a SSL Cert to a .pem format

问题描述

我对所有这些openSSL和PEM stuf还是陌生的，所以我想在这里问大家.例如，我有一个文本(X509)格式的证书

Hi I am a little new to all this openSSL and PEM stuf, so I thought I would ask you people here. I have a certificate in text(X509) format like this for example

Certificate:

Data:

    Version: 3 (0x2)

    Serial Number:

        1f:19:f6:de:35:dd:63:a1:42:91:8a:d5:2c:c0:ab:12

    Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption

    Issuer: "CN=Thawte SGC CA,O=Thawte Consulting (Pty) Ltd.,C=ZA"

    Validity:

        Not Before: Fri Dec 18 00:00:00 2009

        Not After : Sun Dec 18 23:59:59 2011

    Subject: "CN=mail.google.com,O=Google Inc,L=Mountain View,ST=Californ

        ia,C=US"
    ............................................
    ............................................

如何将其转换为.pem文件以供openssl理解，以便我可以验证证书?任何想法/帮助/建议将不胜感激.谢谢大家.

How do I convert this into a .pem file for openssl to understand, so that I can verify certificates? Any ideas/help/suggestions would be greatly appreciated. Thanks a lot in advance to all.

问候 哈里

推荐答案

如果您所拥有的只是文本形式的证书(希望能提供公钥模数，指数和签名的详细信息)，那么您将拥有重建ASN.1结构及其DER格式(PEM表示是DER形式的base-64编码).

If all you have is the certificate in text form (hopefully with the details of the public key modulus and exponent, and signature), you're going to have to rebuild the ASN.1 structure and its DER format (the PEM representation is the base-64 encoding of the DER form).

您还必须重建证书中扩展的确切列表.我知道的大多数文本格式(例如，openssl x509 -text的输出或浏览器的显示工具)都会根据描述这些扩展名的规范将这些扩展名的OID和值转换为更易于理解的格式，这些工具的开发者.

You'll also have to rebuild the exact list of extensions in the certificate. Most text forms I know (for example, the output of openssl x509 -text or the browser's display tool) will convert the OIDs and values of the extensions into a more human-readable format, based on the specifications describing these extensions, if known to the developers of these tools.

以相反的顺序或多或少地系统地执行它意味着要阅读大量描述潜在扩展的规范，并弄清这些工具所产生的人类可读文本所代表的含义. PKIX RFC 是这些规范之一，阅读起来并不容易，尤其是如果您刚开始涉足这一领域.

Doing it in the reverse order systematically more or less implies reading a large number of specifications describing the potential extensions and working out what the human-readable text coming out of these tools was representing. The PKIX RFC is one of these specifications, and it's not going to be an easy thing to read, especially if you're beginning in the field.

最重要的是，您可能无法以与实际证书中完全相同的顺序形成ASN.1结构.如果您想能够验证证书的签名，则需要能够重构确切的二进制结构.

On top of this, you might not be able to form the ASN.1 structure in the exact same order as it was in the actual certificate. You need to be able to reconstruct the exact binary structure if you want to be able to verify the signature of the certificate.

在一般情况下，我想成功做到这一点不太可能.

In the general case, I'd say doing this successfully is unlikely.

编辑:考虑到您所说的内容，您似乎正在使用LibNSS的certutil:

EDIT: Considering what you said, you seem to be using LibNSS's certutil:

尝试:

certutil -L -r -n "the-cert-nickname" -d . | openssl x509 -inform DER -outform PEM

这篇关于将SSL证书转换为.pem格式的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！