[英]How to get .pem file from .key and .crt files?
How can I create a PEM file from an SSL certificate?如何从 SSL 证书创建 PEM 文件?
These are the files that I have available:这些是我可用的文件:
.crt
server.csr
server.key
Your keys may already be in PEM format, but just named with .crt or .key.您的密钥可能已经采用 PEM 格式,但只是以 .crt 或 .key 命名。
If the file's content begins with -----BEGIN
and you can read it in a text editor:如果文件的内容以
-----BEGIN
开头,并且您可以在文本编辑器中阅读它:
The file uses base64, which is readable in ASCII, not binary format.该文件使用 base64,它以 ASCII 而非二进制格式可读。 The certificate is already in PEM format.
证书已经是 PEM 格式。 Just change the extension to .pem.
只需将扩展名更改为 .pem。
If the file is in binary:如果文件是二进制文件:
For the server.crt, you would use对于 server.crt,您将使用
openssl x509 -inform DER -outform PEM -in server.crt -out server.crt.pem
For server.key, use openssl rsa
in place of openssl x509
.对于 server.key,使用
openssl rsa
代替openssl x509
。
The server.key is likely your private key, and the .crt file is the returned, signed, x509 certificate. server.key 可能是您的私钥,而 .crt 文件是返回的、签名的 x509 证书。
If this is for a Web server and you cannot specify loading a separate private and public key:如果这是用于 Web 服务器并且您不能指定加载单独的私钥和公钥:
You may need to concatenate the two files.您可能需要连接这两个文件。 For this use:
对于此用途:
cat server.crt server.key > server.includesprivatekey.pem
I would recommend naming files with "includesprivatekey" to help you manage the permissions you keep with this file.我建议使用“includesprivatekey”命名文件,以帮助您管理您对该文件保留的权限。
I needed to do this for an AWS ELB.我需要为 AWS ELB 执行此操作。 After getting beaten up by the dialog many times, finally this is what worked for me:
在多次被对话殴打之后,最后这对我有用:
openssl rsa -in server.key -text > private.pem
openssl x509 -inform PEM -in server.crt > public.pem
Edit: As @floatingrock says编辑:正如@floatingrock 所说
With AWS, don't forget to prepend the filename with file://
.对于 AWS,不要忘记在文件名前加上
file://
。 So it'll look like:所以它看起来像:
aws iam upload-server-certificate --server-certificate-name blah --certificate-body file://path/to/server.crt --private-key file://path/to/private.key --path /cloudfront/static/
http://docs.aws.amazon.com/cli/latest/reference/iam/upload-server-certificate.html http://docs.aws.amazon.com/cli/latest/reference/iam/upload-server-certificate.html
A pem
file contains the certificate and the private key. pem
文件包含证书和私钥。 It depends on the format your certificate/key are in, but probably it's as simple as this:这取决于您的证书/密钥的格式,但可能就像这样简单:
cat server.crt server.key > server.pem
此外,如果您不希望它要求输入密码,则需要运行以下命令:
openssl rsa -in server.key -out server.key
这是创建 .pem 文件的最佳选择
openssl pkcs12 -in MyPushApp.p12 -out MyPushApp.pem -nodes -clcerts
Run below commands:运行以下命令:
a) openssl pkcs12 -in Certificates.p12 -out CertificateName.pem -nodes
, a)
openssl pkcs12 -in Certificates.p12 -out CertificateName.pem -nodes
,
b) openssl pkcs12 -in Certificates.p12 -out pushcert.pem -nodes -clcerts
b)
openssl pkcs12 -in Certificates.p12 -out pushcert.pem -nodes -clcerts
I was trying to go from godaddy to app engine.我试图从godaddy 转到应用程序引擎。 What did the trick was using this line:
使用这一行的诀窍是什么:
openssl req -new -newkey rsa:2048 -nodes -keyout name.unencrypted.priv.key -out name.csr
Exactly as is, but replacing name with my domain name (not that it really even mattered)完全一样,但用我的域名替换名称(并不是说它真的很重要)
And I answered all the questions pertaining to common name / organization as www.name.com我回答了所有与通用名称/组织有关的问题 www.name.com
Then I opened the csr, copied it, pasted it in go daddy, then downloaded it, unzipped it, navigated to the unzipped folder with the terminal and entered:然后我打开csr,复制,粘贴到go daddy,然后下载,解压,用终端导航到解压文件夹,输入:
cat otherfilegodaddygivesyou.crt gd_bundle-g2-g1.crt > name.crt
Then I used these instructions from Trouble with Google Apps Custom Domain SSL , which were:然后我使用了 Google Apps Custom Domain SSL 中的这些说明,它们是:
openssl rsa -in privateKey.key -text > private.pem
openssl x509 -inform PEM -in www_mydomain_com.crt > public.pem
exactly as is, except instead of privateKey.key I used name.unencrypted.priv.key, and instead of www_mydomain_com.crt, I used name.crt完全一样,除了我用 name.unencrypted.priv.key 代替 privateKey.key,而不是 www_mydomain_com.crt,我用 name.crt
Then I uploaded the public.pem to the admin console for the "PEM encoded X.509 certificate", and uploaded the private.pem for the "Unencrypted PEM encoded RSA private key"..然后我将 public.pem 上传到“PEM 编码的 X.509 证书”的管理控制台,并上传了“未加密的 PEM 编码的 RSA 私钥”的 private.pem。
.. And that finally worked. ..这终于奏效了。
What I have observed is: if you use openssl to generate certificates, it captures both the text part and the base64 certificate part in the crt file.我观察到的是:如果您使用 openssl 生成证书,它会同时捕获 crt 文件中的文本部分和 base64 证书部分。 The strict pem format says ( wiki definition ) that the file should start and end with BEGIN and END.
严格的 pem 格式说( wiki 定义)文件应该以 BEGIN 和 END 开始和结束。
.pem – (Privacy Enhanced Mail) Base64 encoded DER certificate, enclosed between "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----"
.pem –(隐私增强邮件)Base64 编码的 DER 证书,包含在“-----BEGIN CERTIFICATE-----”和“-----END CERTIFICATE-----”之间
So for some libraries (I encountered this in java) that expect strict pem format, the generated crt would fail the validation as an 'invalid pem format'.因此,对于一些需要严格 pem 格式的库(我在 java 中遇到过这种情况),生成的 crt 会作为“无效的 pem 格式”而无法通过验证。
Even if you copy or grep the lines with BEGIN/END CERTIFICATE, and paste it in a cert.pem file, it should work.即使您使用 BEGIN/END CERTIFICATE 复制或 grep 行,并将其粘贴到 cert.pem 文件中,它也应该可以工作。
Here is what I do, not very clean, but works for me, basically it filters the text starting from BEGIN line:这是我所做的,不是很干净,但对我有用,基本上它过滤了从 BEGIN 行开始的文本:
grep -A 1000 BEGIN cert.crt > cert.pem
grep -A 1000 BEGIN cert.crt > cert.pem
Trying to upload a GoDaddy certificate to AWS I failed several times, but in the end it was pretty simple.尝试将 GoDaddy 证书上传到 AWS 我失败了几次,但最终它非常简单。 No need to convert anything to .pem.
无需将任何内容转换为 .pem。 You just have to be sure to include the GoDaddy bundle certificate in the chain parameter, eg
您只需要确保在链参数中包含 GoDaddy 捆绑证书,例如
aws iam upload-server-certificate
--server-certificate-name mycert
--certificate-body file://try2/40271b1b25236fd1.crt
--private-key file://server.key
--path /cloudfront/production/
--certificate-chain file://try2/gdig2_bundle.crt
And to delete your previous failed upload you can do并删除您之前失败的上传,您可以这样做
aws iam delete-server-certificate --server-certificate-name mypreviouscert
openssl pkcs12 -in YOUR_CERTIFICATE.p12 -out YOUR_CERTIFICATE.pem -nodes -clcerts
openssl pkcs12 -in YOUR_CERTIFICATE.p12 -out YOUR_CERTIFICATE.pem -nodes -clcerts
On Windows, you can use the certutil
tool:在Windows上,可以使用
certutil
工具:
certutil -encode server.crt cert.pem
certutil -encode server.key key.pem
You can combine both files to one in PowerShell like this:您可以像这样将两个文件合并为 PowerShell 中的一个文件:
Get-Content cert.pem, key.pem | Set-Content cert-and-key.pem
And in CMD like this:在 CMD 中是这样的:
copy cert.pem+key.pem cert-and-key.pem /b
All of the files (*.crt, server.csr, server.key) may already be in PEM format, what to do next with these files depends on how you want to use them, or what tool is using them and in which format it requires.所有文件(*.crt、server.csr、server.key)可能已经是 PEM 格式,接下来如何处理这些文件取决于您要如何使用它们,或者使用什么工具以及以何种格式使用它们这个需要。
I'll go a bit further here to explain what are the different formats used to store cryptography materials and how to recognise them as well as convert one to/from another.我将在这里进一步解释用于存储密码学材料的不同格式以及如何识别它们以及将它们转换为另一种格式。
Standards![]() |
Content format![]() |
File encoding![]() |
Possible content![]() |
---|---|---|---|
X509 ![]() |
X ![]() |
Certificates![]() |
|
PKCS#1 ![]() |
X ![]() |
RSA keys (public/private) ![]() |
|
PKCS#7 ![]() |
X ![]() |
Certificates, CRLs![]() |
|
PKCS#8 ![]() |
X ![]() |
Private keys, encrypted private keys![]() |
|
PKCS#12 ![]() |
X ![]() |
Certificates, CRLs, private keys![]() |
|
JKS ![]() |
X ![]() |
Certificates, private keys![]() |
|
PEM ![]() |
X ![]() |
||
DER ![]() |
X ![]() |
Content \\ Encoding![]() |
PEM (*) ![]() |
DER (**)![]() |
Binary![]() |
---|---|---|---|
X509 ![]() |
X ![]() |
X ![]() |
|
PKCS#1 ![]() |
X ![]() |
X ![]() |
|
PKCS#7 (***) ![]() |
X ![]() |
X ![]() |
|
PKCS#8 ![]() |
X ![]() |
X ![]() |
|
PKCS#12 (***) ![]() |
X ![]() |
||
JKS (***) ![]() |
X ![]() |
This is a gist explains the same thing + commands for conversion/verification/inspection.这是一个要点,解释了相同的事情 + 用于转换/验证/检查的命令。
In conclusion, typical steps to work with cryptography/PKI materials:总之,使用密码学/PKI 材料的典型步骤:
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.