问题
Hi I am a little new to all this openSSL and PEM stuf, so I thought I would ask you people here. I have a certificate in text(X509) format like this for example
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
1f:19:f6:de:35:dd:63:a1:42:91:8a:d5:2c:c0:ab:12
Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
Issuer: "CN=Thawte SGC CA,O=Thawte Consulting (Pty) Ltd.,C=ZA"
Validity:
Not Before: Fri Dec 18 00:00:00 2009
Not After : Sun Dec 18 23:59:59 2011
Subject: "CN=mail.google.com,O=Google Inc,L=Mountain View,ST=Californ
ia,C=US"
............................................
............................................
How do I convert this into a .pem file for openssl to understand, so that I can verify certificates? Any ideas/help/suggestions would be greatly appreciated. Thanks a lot in advance to all.
Regards Hari
回答1:
If all you have is the certificate in text form (hopefully with the details of the public key modulus and exponent, and signature), you're going to have to rebuild the ASN.1 structure and its DER format (the PEM representation is the base-64 encoding of the DER form).
You'll also have to rebuild the exact list of extensions in the certificate. Most text forms I know (for example, the output of openssl x509 -text or the browser's display tool) will convert the OIDs and values of the extensions into a more human-readable format, based on the specifications describing these extensions, if known to the developers of these tools.
Doing it in the reverse order systematically more or less implies reading a large number of specifications describing the potential extensions and working out what the human-readable text coming out of these tools was representing. The PKIX RFC is one of these specifications, and it's not going to be an easy thing to read, especially if you're beginning in the field.
On top of this, you might not be able to form the ASN.1 structure in the exact same order as it was in the actual certificate. You need to be able to reconstruct the exact binary structure if you want to be able to verify the signature of the certificate.
In the general case, I'd say doing this successfully is unlikely.
EDIT: Considering what you said, you seem to be using LibNSS's certutil:
Try:
certutil -L -r -n "the-cert-nickname" -d . | openssl x509 -inform DER -outform PEM
回答2:
I am not sure what you are presenting in your post.
This seems the visualization of an existing certificate.
Are you viewing it via windows? I.e. opening a .der or .cer file?
If this is the case if you go in the details tab, press copy to file and save it as pem.
If you need to save it that format that is.
来源:https://stackoverflow.com/questions/6144316/converting-a-ssl-cert-to-a-pem-format