How to Change Certificate Formats

Article:TECH179207  |  Created: 2012-01-18  |  Updated: 2012-09-27  |  Article URL http://www.symantec.com/docs/TECH179207
Article Type
Technical Solution


Subject

Issue



At times because of compatibility issues, you may need to change the certificate file format.


Solution



             To change the certificate formats, use openssl :

  • To change binary-only PKCS7 (.p7 .p7a .p7b .p7c) files to readable text content in the output file:
                 openssl pkcs7 -inform DER -in filename.p7b -text -print_certs -out outfilename.pem
 
                Example:
 
                 openssl pkcs7 -inform DER -in IECert.p7b -text -print_certs -out IECert.pem
 
  • To change binary-only PKCS7 files to only binary content in the output file leave out the “-text” element:
          openssl pkcs7 -inform DER -in filename.p7b -text -print_certs -out outfilename.pem
 
Example:
 
                openssl pkcs7 -inform DER -in IECert.p7b -text -print_certs -out IECert.pem
Some applications do not accept X509 v3 (version 3) certificates when accompanied by a text description within the certificate file. You can overcome this for most applications, by editing the certificate to trim the text sections, but take care to leave intact the lines beginning and terminating the binary certificate data.
 
  • To change PEM to PKCS#12 (to install in a Web browser or for storage):
    • If your PEM-format certificate and key are both in one file, use:
            openssl pkcs12 -export -in pem-cert-and-key-file -out pkcs12-cert-and-key-file
 
    • If they are in separate files, use :
openssl pkcs12 -export -in pem-cert-file -inkey pem-key-file -out pkcs12-cert-and-key-file
The above two commands put the certificate and keyfile into one file. If you intend to store your private key and certificate together in this fashion you should apply a pass phrase to the resultant file.
 
  •          To change PKCS#12 to PEM:
                         openssl pkcs12 -in pkcs-12-cert-and-key-file -out pem-cert-and-key-file
 
 
  • To change ASN.1 PEM files to DER PEM :
                 If the PEM file contains DSA keys, use:    
    • If it contains RSA Keys, use:
    •  openssl rsa -inform PEM -outform DER -in pem-file -out der-file 
  • To change DER (.cer in most implementations) to PEM:
    • If the DER file contains DSA keys, use :
                    openssl dsa -inform DER -outform PEM -in der-file -out pem-file
    • If it contains RSA Keys, use:
                    openssl rsa -inform DER -outform PEM -in der-file -out pem-file
 
Note : Do not Edit Certificates and Key Files
 
You must never edit the contents of a certificate or keyfile. If you change anything within a certificate, any SSL software examining the certificate to authenticate your identity will detect it has been tampered with and declare it invalid. A keyfile, and in certain circumstances a certificate file, will always be protected by its own security pass phrase. This pass phrase prevents certificate and key file management tools from making unauthorized access to the file content. You can rename and copy a file containing a certificate, and it is good practice to use the filename extension appropriate to the format, to avoid confusion. You can also split a file that contains multiple PEM format certificates but you must take care to not change or break up the data content between the start and end of any of the certificates.



Article URL http://www.symantec.com/docs/TECH179207


Terms of use for this information are found in Legal Notices