RE: Convert .pem to .crt and .key files
Two nits: > From: owner-openssl-users On Behalf Of Viktor Dukhovni > Sent: Monday, December 16, 2013 10:37 > On Mon, Dec 16, 2013 at 04:03:30PM +0100, lists wrote: > > > >I have a .pem file. Is there a way to get it converted into .crt > > >and .key files using openssl tool. > > > > ".pem" doesn't say much. > > If it is a file containing both the key and the certificate and it > > is in PEM format (as the name suggests), it is a sort of text. > > You can simply edit it and split it in two files, one containing the part > > Using a text editor is not the best approach. To extract the key > in PKCS8 form: > > $ (umask 077; openssl pkey -in mumble.pem -out mumble-key.pem) > Only 1.0.0+. > If the OpenSSL version is older than 1.0.0, to extract the key as an > RSA key. > > $ (umask 077; openssl rsa -in mumble.pem -out mumble-key.pem) > Even 1.0.0+. The commandline utilities 'rsa' 'dsa' 'ec' still output the algorithm-specific formats for privatekey (and rsa only can output publickey in PKCS#1-specific form as well). The *API* PEM_write_PrivateKey changed from specific to PKCS#8, and thus so did 'pkcs8 (not-topk8)' and 'pkcs12 (import not-nokeys)' and 'req -newkey (or equivalent)'. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
[no subject]
Please remove from this mailing list. Thanks.
Re: Convert .pem to .crt and .key files
On Mon, Dec 16, 2013 at 04:03:30PM +0100, lists wrote: > >I have a .pem file. Is there a way to get it converted into .crt > >and .key files using openssl tool. > > ".pem" doesn't say much. > If it is a file containing both the key and the certificate and it > is in PEM format (as the name suggests), it is a sort of text. > You can simply edit it and split it in two files, one containing the part Using a text editor is not the best approach. To extract the key in PKCS8 form: $ (umask 077; openssl pkey -in mumble.pem -out mumble-key.pem) If the OpenSSL version is older than 1.0.0, to extract the key as an RSA key. $ (umask 077; openssl rsa -in mumble.pem -out mumble-key.pem) To password-protect the key add a "-aes128" option or similar. To encode it in DER format rather than PEM, add a "-outform DER" option, for example: $ ( umask 077 openssl pkey -in mumble.pem -aes128 -outform DER -out mumble-key.der ) To extract the certificate chain: $ openssl crl2pkcs7 -nocrl -certfile mumble.pem | openssl pkcs7 -print_certs -out mumble-chain.pem To extract the chain in PKCS7 DER form: $ openssl crl2pkcs7 -nocrl -certfile mumble.pem | openssl pkcs7 -outform DER -out mumble-chain.spc To extract just the leaf server certificate in DER form: $ openssl x509 -in mumble.pem -outform DER -out mumble-cert.crt One can also create a password-protected DER PKCS12 file with the key and certificate in one: $ ( umask 077 openssl pkcs12 -export -in mumble.pem \ -passout "pass:umask 077" -out mumble.p12 ) The above example relies on file access protection with a deliberately weak password useful for non-interactive operation. So there are sadly a lot of possibilities, depending on what's actually available and required. -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Convert .pem to .crt and .key files
".pem" doesn't say much. If it is a file containing both the key and the certificate and it is in PEM format (as the name suggests), it is a sort of text. You can simply edit it and split it in two files, one containing the part -BEGIN CERTIFICATE- data... data... data... -END CERTIFICATE- the other with the part -BEGIN RSA PRIVATE KEY- data... data... data... -END RSA PRIVATE KEY- Consider that the key part, if the key is encrypted, has a different look but it is not hard to guess. Bye Umberto On 12/14/2013 02:50 AM, Kaushal Shriyan wrote: Hi, I have a .pem file. Is there a way to get it converted into .crt and .key files using openssl tool. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: use openssl function in own application
Hello Matt, my question was wrong, because I have to admin, that I did, at the moment of the post, not know what the line I posted does. thank you very much for the explanation and the links Andreas Am 14.12.2013 14:10, schrieb Matt Caswell: On 13 December 2013 17:33, andreas wrote: Hello, in our public hospital we have a application that has to encrypt data with a certificate. At the moment we call a batch files that does openssl.exe rsautl -encrypt -in %1 -out %1.enc -inkey SanitelCF.cer -certin -pkcs I don't know what it is that you are encrypting, however normally you would not directly encrypt messages in this way. RSA is usually used to encrypt some symmetric session key, and then your message is encrypted using this session key. Here you are directly encrypting files using RSA...if those files are actually raw keys then thats probably ok. IS it possible to implement this in our application using openssl libraries ? Yes: To load the certificate you can use PEM_read_X509 (or one of the other similar variants). See https://www.openssl.org/docs/crypto/pem.html This will give you an X509 structure. To obtain the public key from the certificate use X509_get_pubkey. This function is defined in x509.h and is apparently undocumented as far as I can see. Its quite straight forward though - just pass the X509 structure in and you get an EVP_PKEY structure back. To encrypt use EVP_PKEY_encrypt. See https://www.openssl.org/docs/crypto/EVP_PKEY_encrypt.html The manual page above gives some example code for encrypting. It shows how to set the padding type. For your particular situation you need to use RSA_PKCS1_PADDING. Don't forget to free up your EVP_PKEY and X509 structures using EVP_PKEY_free and X509_free. Can anyone please tell me if there are sample file that implement that encryption ? You can take a look at how the rsautl app does it in apps/rsautl.c. This essentially works the same way as I have outlined above except that it uses RSA_public_encrypt to do the encryption, rather than EVP_PKEY_encrypt that I have suggested. Hope that helps, Matt Thanks Andreas __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users-mcmkbn63+blafugrpc6...@public.gmane.org Automated List Manager majordomo-mcmkbn63+blafugrpc6...@public.gmane.org __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users-mcmkbn63+blafugrpc6...@public.gmane.org Automated List Manager majordomo-mcmkbn63+blafugrpc6...@public.gmane.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
