Quality resource sharing

Contents* Introduction

• PEM
• PKCS7
• PKCS8
• PKCS12
• Summary

Introduction

PEM is a common format for saving keys or certificates. Generally, files in PEM format end with .pem.So what exactly is PEM?How does it relate to the commonly used certificate formats PKCS7 and PKCS12?Let's take a look together.

PEM

Although PEM is used to store certificates or keys, PEM was originally associated with email, because the full name of PEM is Privacy-Enhanced Mail, which was originally created for the privacy enhancement of mail. It was created in 1993 byStandards developed by the IETF.Although the final protocol standard was not widely adopted, the text encodings defined in it were widely used and were eventually formalized by the IETF in RFC 7468.

Before we introduced a protocol description language ASN.1, ASN.1 is usually used to define the data structure in the protocol, and then serialize the data by using DER encoding, but DER encoding is a binary format, binary files are inconvenient to transmit or display in some cases, otherwise some only support ASCII encoding, so we need a way to convert DER format into text format.

This method is called PEM.The method used by PEM is also very simple, which is to use base64 encoding on the DER-encoded binary data and convert it into a text file.

There are fixed header and end of file characters in PEM.The header of the file starts with '-----BEGIN'+label+'-----', and the end of the file ends with '-----END'+label+'-----'.

Where label represents the encoded message type, which can usually take these values: CERTIFICATE, CERTIFICATE REQUEST, PRIVATE KEY and X509 CRL.

The following is an example of a PEM, indicating that its content is a certificate:

-----BEGIN CERTIFICATE KEY----------END CERTIFICATE KEY-----

Although PEM format files usually end with .pem, it is also possible to use ".cer" or ".crt" to indicate a certificate, and ".key" to indicate a key.

In addition, a PEM file can contain multiple contents. For example, for a certificate, usually some additional information such as a certificate chain may be required, so that a certificate chain can be stored in a PEM file.

PKCS7

PKCS7 is a member of the Public-Key Cryptography Standards series and is mainly used to store signed or encrypted data, such as certificates or CRLs.PKCS7 can be stored in raw DER format or in PEM format.

If stored in PEM format, the beginning and end of the file are:

‑‑‑‑‑BEGIN PKCS7‑‑‑‑‑‑‑‑‑‑‑END PKCS7‑‑‑‑‑‑

PKCS7 usually ends with .p7b on Windows.

The operation of PKCS7 can be carried out through the openssl command.

For example to convert a PKCS7 file from PEM format to DER format:

 openssl pkcs7 -in file.pem -outform DER -out file.der

Extract all certificates from one file to another:

 openssl pkcs7 -in file.pem -print_certs -out certs.pem

PKCS8

PKCS8 is also a member of the Public-Key Cryptography Standards series, which is mainly used to store private keys.

The private key is first encrypted using the PKCS #5 standard, then base64 encoded and converted to PEM format for storage.

So the format of PKCS8 is PEM, but the content stored in it is the encrypted private key.

PKCS12

PKCS12 is also a member of the Public-Key Cryptography Standards series. PKCS12 can be regarded as an extension of PKCS7. Certificates, private keys or CRLs can be stored in PKCS12.Compared with PKCS7, PKCS12 can additionally store private keys.

PKCS12 files end in .p12 or .pfx.In JDK9, PKCS12 is the default key storage format.

The format of PKCS12 is much more complicated than PEM. When needed, we can use OPENSSL to convert PKCS12 format to PEM format:

openssl pkcs12 -nocerts -nodes -in cert.p12 -out private.pem

Of course also from PEM to PKCS12:

openssl pkcs12 -export -in Cert.pem -out Cert.p12 -inkey key.pem

Summary

The above are several very commonly used encoding formats in the PEM and PKCS series.Hope you can master and use it correctly.

For more information, please refer to http://www.flydean.com/48-pem-pkcs7812/

The most popular interpretation, the most profound dry goods, the most concise tutorials, and many tricks you don't know are waiting for you to discover!

Welcome to pay attention to my official account: "Program those things", understand technology, understand you better!