User Tools

Site Tools


wiki:tech:linux:ssl

Converting Your Existing Certificate To PEM Format

Most Certificate Authorities (CAs) issue certificates in PEM format. PEM certificates typically have extensions like .pem, .crt, .cer, and .key.

The PEM format uses the header and footer lines —–BEGIN CERTIFICATE—– and —–END CERTIFICATE—–.

Other certificate formats include the DER/Binary, P7B/PKCS#7, and PFX/PKCS#12 formats. The AeroFS Appliance requires a certificate in PEM format in step 9 of the appliance setup. This certificate will be used to ensure secure transactions between your appliance and users' web browsers.

Converting Your Existing Certificate To PEM Format

If your certificate is not in PEM format, you can convert it to the PEM format using the following OpenSSL commands:

Convert DER to PEM
openssl x509 -inform der -in certificate.cer -out certificate.pem
Convert P7B to PEM
openssl pkcs7 -print_certs -in certificate.p7b -out certificate.pem
Convert PFX to PEM
openssl pkcs12 -in certificate.pfx -out certificate.pem -nodes

Alternatively, you can use this SSL converter tool.

Removing Passphrase From Existing Private Key File

If you try to upload a passphrase-protected private key file, you will get a “key is invalid” error message. To fix this you will need to remove the passphrase from your private key file and upload the passphrase-free private key file to your appliance. You can remove the passphrase as follows:

1. Run openssl rsa -in example.key -out example.nocrypt.key

2. Enter your passphrase.

Downloading remote cert even with proxy

With proxy
proxytunnel -p some.proxy.host:3128 -d google.com:443 -a 7000

openssl s_client -showcerts -servername google.com -connect localhost:7000 </dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > proxy.pem
Without proxy
openssl s_client -showcerts -servername google.com -connect google.com </dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > google.pem

Java keystore

http://java-online.ru/keystore-keytool.xhtml

  • -Djavax.net.ssl.keyStore specifies the keystore file.
  • -Djavax.net.ssl.keyStorePassword specifies the passphrase of the keystore.
  • -Djavax.net.ssl.trustStore specifies the truststore file to use to validate client certificates.
  • -Djavax.net.ssl.trustStorePassword specifies the passphrase to access the truststore file.
wiki/tech/linux/ssl.txt · Last modified: 2019/03/29 15:46 by kpc