I have a rootcert file and I dont know whether it is in .pem format or not, how do I check that it is in .pem format?
问题:
回答1:
A .pem format certificate will most likely be ASCII-readable. It will have a line -----BEGIN CERTIFICATE-----
, followed by base64-encoded data, followed by a line -----END CERTIFICATE-----
. There may be other lines before or after.
回答2:
DER vs. CRT vs. CER vs. PEM Certificates and How To Convert Them
Quote from the support page:
View
====
Even though PEM encoded certificates are ASCII they are not human
readable. Here are some commands that will let you output the
contents of a certificate in human readable form;
View PEM encoded certificate
----------------------------
Use the command that has the extension of your certificate replacing
cert.xxx with the name of your certificate
openssl x509 -in cert.pem -text -noout
openssl x509 -in cert.cer -text -noout
openssl x509 -in cert.crt -text -noout
If you get the folowing error it means that you are trying to view a DER encoded certifciate and need to use the commands in the “View DER encoded certificate
below”
unable to load certificate
12626:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:647:Expecting: TRUSTED CERTIFICATE View DER encoded Certificate
View DER encoded Certificate
----------------------------
openssl x509 -in certificate.der -inform der -text -noout
If you get the following error it means that you are trying to view a PEM encoded certificate with a command meant for DER encoded certs. Use a command in the “View PEM encoded certificate above
unable to load certificate
13978:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1306:
13978:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:380:Type=X509
回答3:
Reference CRL,CRT,CSR,NEW CSR,PRIVATE KEY, PUBLIC KEY Parser
CRL
-----BEGIN X509 CRL-----
-----END X509 CRL-----
CRT
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
CSR
-----BEGIN CERTIFICATE REQUEST-----
-----END CERTIFICATE REQUEST-----
NEW CSR
-----BEGIN NEW CERTIFICATE REQUEST-----
-----END NEW CERTIFICATE REQUEST-----
PEM
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----
PKCS7
-----BEGIN PKCS7-----
-----END PKCS7-----
PRIVATE KEY
-----BEGIN PRIVATE KEY-----
-----END PRIVATE KEY-----
回答4:
For OpenSSL to recognize it as a PEM format, it must be encoded in Base64, with the following header :
-----BEGIN CERTIFICATE-----
and footer :
-----END CERTIFICATE-----
Also, each line must be maximum 79 characters long. Otherwise you will receive the error :
2675996:error:0906D064:PEM routines:PEM_read_bio:bad base64 decode:pem_lib.c:818:
Note : the PEM standard (RFC1421) mandates lines with 64 characters long. A PEM certificate stored as a single line can be converted with the UNIX command-line utility
fold -w 64
回答5:
How can I check if the certificate file I have is in .pem format
cat
the file and look for the pre-encapsulated header and post-encapsulated header. The pre-encapsulated header is -----BEGIN CERTIFICATE-----
or -----BEGIN X509 CERTIFICATE-----
; and the post-encapsulated header is -----END CERTIFICATE-----
or -----END X509 CERTIFICATE-----
.
Encapsulated headers are discussed in RFC 1421. There is no standard list or comprehensive list of the objects in those headers (like CERTIFICATE
or X509 CERTIFICATE
). Most folks use OpenSSL's pem.h
header for a list of object types.