当前位置: 文江博客话题详情

如何从 .key 和 .crt 文件获取 .pem 文件?

发布于 2024-07-24 23:49:20 字数 156 浏览 11 评论 0原文

如何从 SSL 证书创建 PEM 文件?

这些是我可用的文件:

  • .crt
  • server.csr
  • server.key
原文

How can I create a PEM file from an SSL certificate?

These are the files that I have available:

  • .crt
  • server.csr
  • server.key

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(14

遗忘曾经 2024-07-31 23:49:20

您的密钥可能已经是 PEM 格式,但只是以 .crt 或 .key 命名。

如果文件内容以 -----BEGIN 开头,并且您可以在文本编辑器中读取它:

该文件使用 base64,可以 ASCII 格式读取,而不是二进制格式。 该证书已经是 PEM 格式。 只需将扩展名更改为 .pem 即可。

如果文件是二进制文件:

对于 server.crt,您将使用

openssl x509 -inform DER -outform PEM -in server.crt -out server.crt.pem

对于 server.key,使用 openssl rsa 代替 openssl x509

server.key 可能是您的私钥,.crt 文件是返回的签名 x509 证书。

如果这是针对 Web 服务器且您无法指定加载单独的私钥和公钥:

您可能需要连接这两个文件。 对于此用途:

cat server.crt server.key > server.includesprivatekey.pem

我建议使用“includesprivatekey”命名文件,以帮助您管理对此文件保留的权限。

Your keys may already be in PEM format, but just named with .crt or .key.

If the file's content begins with -----BEGIN and you can read it in a text editor:

The file uses base64, which is readable in ASCII, not binary format. The certificate is already in PEM format. Just change the extension to .pem.

If the file is in binary:

For the server.crt, you would use

openssl x509 -inform DER -outform PEM -in server.crt -out server.crt.pem

For server.key, use openssl rsa in place of openssl x509.

The server.key is likely your private key, and the .crt file is the returned, signed, x509 certificate.

If this is for a Web server and you cannot specify loading a separate private and public key:

You may need to concatenate the two files. For this use:

cat server.crt server.key > server.includesprivatekey.pem

I would recommend naming files with "includesprivatekey" to help you manage the permissions you keep with this file.

回复 原文
风吹雨成花 2024-07-31 23:49:20

我需要为 AWS ELB 执行此操作。 在多次被对话框打败后,最后这对我有用:

openssl rsa -in server.key -text > private.pem
openssl x509 -inform PEM -in server.crt > public.pem

谢谢 NCZ

编辑:正如 @floatingrock 所说

,使用 AWS,不要忘记在文件名前面加上 file://。 所以它看起来像:

 aws iam upload-server-certificate --server-certificate-name blah --certificate-body file://path/to/server.crt --private-key file://path/to/private.key --path /cloudfront/static/

http:// docs.aws.amazon.com/cli/latest/reference/iam/upload-server-certificate.html

I needed to do this for an AWS ELB. After getting beaten up by the dialog many times, finally this is what worked for me:

openssl rsa -in server.key -text > private.pem
openssl x509 -inform PEM -in server.crt > public.pem

Thanks NCZ

Edit: As @floatingrock says

With AWS, don't forget to prepend the filename with file://. So it'll look like:

 aws iam upload-server-certificate --server-certificate-name blah --certificate-body file://path/to/server.crt --private-key file://path/to/private.key --path /cloudfront/static/

http://docs.aws.amazon.com/cli/latest/reference/iam/upload-server-certificate.html

回复 原文
半岛未凉 2024-07-31 23:49:20

pem 文件包含证书和私钥。 这取决于您的证书/密钥的格式,但可能就像这样简单:

cat server.crt server.key > server.pem

A pem file contains the certificate and the private key. It depends on the format your certificate/key are in, but probably it's as simple as this:

cat server.crt server.key > server.pem
回复 原文
不可一世的女人 2024-07-31 23:49:20

此外,如果您不希望它询问密码,则需要运行以下命令:

openssl rsa -in server.key -out server.key

Additionally, if you don't want it to ask for a passphrase, then need to run the following command:

openssl rsa -in server.key -out server.key
回复 原文
超可爱的懒熊 2024-07-31 23:49:20

这是创建 .pem 文件的最佳选择

openssl pkcs12 -in MyPushApp.p12 -out MyPushApp.pem -nodes -clcerts

this is the best option to create .pem file

openssl pkcs12 -in MyPushApp.p12 -out MyPushApp.pem -nodes -clcerts
回复 原文
讽刺将军 2024-07-31 23:49:20

所有文件(*.crt、server.csr、server.key)可能已经是 PEM 格式,接下来如何处理这些文件取决于您想要如何使用它们,或者使用它们的工具以及格式这个需要。

我将在这里进一步解释用于存储加密材料的不同格式以及如何识别它们以及如何将一种格式转换为另一种格式。

标准

标准内容格式文件编码可能的内容
X509X证书
PKCS#1XRSA 密钥(公共/私有)
PKCS#7X证书、CRL
PKCS#8X私钥、加密私钥
PKCS#12X证书、CRL、私钥
JKSX证书、私钥
PEMX
DERX

常见组合

内容 \ 编码PEM (*)DER (**)二进制
X509XX
PKCS#1XX
PKCS#7 (***)XX
PKCS#8XX
PKCS#12 (***)X
张根硕 (***)X

这是要点解释了同样的事情+用于转换/验证/检查的命令。

总之,使用密码学/PKI 材料的典型步骤:

  • 了解它们的格式(使用验证/检查命令)
  • 了解它们所需的格式(阅读文档)
  • 使用转换命令转换文件
  • 可选:使用验证/检查命令验证转换后的文件

All of the files (*.crt, server.csr, server.key) may already be in PEM format, what to do next with these files depends on how you want to use them, or what tool is using them and in which format it requires.

I'll go a bit further here to explain what are the different formats used to store cryptography materials and how to recognise them as well as convert one to/from another.

Standards

StandardsContent formatFile encodingPossible content
X509XCertificates
PKCS#1XRSA keys (public/private)
PKCS#7XCertificates, CRLs
PKCS#8XPrivate keys, encrypted private keys
PKCS#12XCertificates, CRLs, private keys
JKSXCertificates, private keys
PEMX
DERX

Common combinations

Content \ EncodingPEM (*)DER (**)Binary
X509XX
PKCS#1XX
PKCS#7 (***)XX
PKCS#8XX
PKCS#12 (***)X
JKS (***)X

This is a gist explains the same thing + commands for conversion/verification/inspection.

In conclusion, typical steps to work with cryptography/PKI materials:

  • Understand which format they are in (use verification/inspection commands)
  • Understand which format they are required (read doc)
  • Use conversion commands to convert the files
  • Optional: use verification/inspection commands to verify converted files
回复 原文
眼睛会笑 2024-07-31 23:49:20

我试图从 Godaddy 转向应用引擎。 诀窍是使用这一行:

openssl req -new -newkey rsa:2048 -nodes -keyout name.unencrypted.priv.key -out name.csr

完全按原样,但用我的域名替换名称(并不是说它真的很重要)

我回答了与通用名称/组织有关的所有问题 www.name.com

然后我打开了csr,复制它,将其粘贴到 go爸爸中,然后下载它,解压缩它,使用终端导航到解压缩的文件夹并输入:

cat otherfilegodaddygivesyou.crt gd_bundle-g2-g1.crt > name.crt

然后我使用了 Google Apps 自定义域 SSL 出现问题:与

openssl rsa -in privateKey.key -text > private.pem
openssl x509 -inform PEM -in www_mydomain_com.crt > public.pem

原样完全相同,只是我使用 name.unencrypted.priv 代替 privateKey.key。密钥,而不是 www_mydomain_com.crt,我使用 name.crt

然后我将 public.pem 上传到管理控制台以获取“PEM 编码的 X.509 证书”,并上传 private.pem 以获得“未加密的 PEM 编码的 RSA 私有证书”关键”

......这终于奏效了。

I was trying to go from godaddy to app engine. What did the trick was using this line:

openssl req -new -newkey rsa:2048 -nodes -keyout name.unencrypted.priv.key -out name.csr

Exactly as is, but replacing name with my domain name (not that it really even mattered)

And I answered all the questions pertaining to common name / organization as www.name.com

Then I opened the csr, copied it, pasted it in go daddy, then downloaded it, unzipped it, navigated to the unzipped folder with the terminal and entered:

cat otherfilegodaddygivesyou.crt gd_bundle-g2-g1.crt > name.crt

Then I used these instructions from Trouble with Google Apps Custom Domain SSL, which were:

openssl rsa -in privateKey.key -text > private.pem
openssl x509 -inform PEM -in www_mydomain_com.crt > public.pem

exactly as is, except instead of privateKey.key I used name.unencrypted.priv.key, and instead of www_mydomain_com.crt, I used name.crt

Then I uploaded the public.pem to the admin console for the "PEM encoded X.509 certificate", and uploaded the private.pem for the "Unencrypted PEM encoded RSA private key"..

.. And that finally worked.

回复 原文
最佳男配角 2024-07-31 23:49:20

在 Windows 上,您可以使用 certutil 工具:

certutil -encode server.crt cert.pem
certutil -encode server.key key.pem

您可以在 PowerShell 中将两个文件合并为一个,如下所示:

Get-Content cert.pem, key.pem | Set-Content cert-and-key.pem

在 CMD 中,如下所示:

copy cert.pem+key.pem cert-and-key.pem /b

On Windows, you can use the certutil tool:

certutil -encode server.crt cert.pem
certutil -encode server.key key.pem

You can combine both files to one in PowerShell like this:

Get-Content cert.pem, key.pem | Set-Content cert-and-key.pem

And in CMD like this:

copy cert.pem+key.pem cert-and-key.pem /b
回复 原文
も让我眼熟你 2024-07-31 23:49:20

我观察到的是:如果使用 openssl 生成证书,它会捕获 crt 文件中的文本部分和 base64 证书部分。 严格的 pem 格式表示(wiki 定义)文件应以 BEGIN 开头和结尾结尾。

.pem –(隐私增强邮件)Base64 编码的 DER 证书,
包含在“-----BEGIN CERTIFICATE-----”和“-----END”之间
证书-----”

因此,对于某些需要严格 pem 格式的库(我在 java 中遇到过这种情况),生成的 crt 会因“无效 pem 格式”而无法通过验证。

即使您使用 BEGIN/ 复制或 grep 行END CERTIFICATE,并将其粘贴到 cert.pem 文件中,它应该可以工作。

这是我所做的,不是很干净,但对我有用,基本上它会过滤从 BEGIN 行开始的文本:

grep -A 1000 BEGIN cert.crt > 证书.pem

What I have observed is: if you use openssl to generate certificates, it captures both the text part and the base64 certificate part in the crt file. The strict pem format says (wiki definition) that the file should start and end with BEGIN and END.

.pem – (Privacy Enhanced Mail) Base64 encoded DER certificate,
enclosed between "-----BEGIN CERTIFICATE-----" and "-----END
CERTIFICATE-----"

So for some libraries (I encountered this in java) that expect strict pem format, the generated crt would fail the validation as an 'invalid pem format'.

Even if you copy or grep the lines with BEGIN/END CERTIFICATE, and paste it in a cert.pem file, it should work.

Here is what I do, not very clean, but works for me, basically it filters the text starting from BEGIN line:

grep -A 1000 BEGIN cert.crt > cert.pem

回复 原文
神回复 2024-07-31 23:49:20

尝试将 GoDaddy 证书上传到 AWS 时失败了好几次,但最终都非常简单。 无需将任何内容转换为 .pem。 您只需确保在链参数中包含 GoDaddy 捆绑证书,例如

aws iam upload-server-certificate
    --server-certificate-name mycert
    --certificate-body file://try2/40271b1b25236fd1.crt
    --private-key file://server.key
    --path /cloudfront/production/
    --certificate-chain file://try2/gdig2_bundle.crt

要删除之前失败的上传,您可以执行以下操作

aws iam delete-server-certificate --server-certificate-name mypreviouscert

Trying to upload a GoDaddy certificate to AWS I failed several times, but in the end it was pretty simple. No need to convert anything to .pem. You just have to be sure to include the GoDaddy bundle certificate in the chain parameter, e.g.

aws iam upload-server-certificate
    --server-certificate-name mycert
    --certificate-body file://try2/40271b1b25236fd1.crt
    --private-key file://server.key
    --path /cloudfront/production/
    --certificate-chain file://try2/gdig2_bundle.crt

And to delete your previous failed upload you can do

aws iam delete-server-certificate --server-certificate-name mypreviouscert
回复 原文
春庭雪 2024-07-31 23:49:20
  1. 通过 appleId 从临时门户下载证书,
  2. 从钥匙串导出证书并给出名称 (Certificates.p12),
  3. 打开终端并转到保存上述 Certificates.p12 文件的文件夹,

  4. 运行以下命令:

    a) openssl pkcs12 -in Certificates.p12 -out CertificateName.pem -nodes,

    运行

  5. 您的 .pem 文件已准备好“pushcert.pem”。
  1. Download certificate from provisional portal by appleId,
  2. Export certificate  from Key chain and  give name (Certificates.p12),
  3. Open terminal and goto folder where you save above Certificates.p12 file,

  4. Run below commands:

    a) openssl pkcs12 -in Certificates.p12 -out CertificateName.pem -nodes,

    b) openssl pkcs12 -in Certificates.p12 -out pushcert.pem -nodes -clcerts

  5. Your .pem file ready "pushcert.pem".
回复 原文
梦断已成空 2024-07-31 23:49:20

首先,我们必须使用 .crt 文件和 .key 文件创建 pfx 文件。 在执行过程中,您需要输入您的证书密码。 命令

 openssl pkcs12 -export -in company.crt -inkey company.key -out yourssl.pfx

下面是获得 pfx 文件后的 。 请执行以下2条命令

openssl pkcs12 -in yourssl.pfx -clcerts -nokeys -out yourcert.pem
openssl pkcs12 -in yourssl.pfx -clcerts -out yourkey.pem

First of all we have to create pfx file using .crt file and .key file. During execution you need to enter your certs password. Below is the command

 openssl pkcs12 -export -in company.crt -inkey company.key -out yourssl.pfx

Once you have pfx file. Please execute Below 2 commands

openssl pkcs12 -in yourssl.pfx -clcerts -nokeys -out yourcert.pem
openssl pkcs12 -in yourssl.pfx -clcerts -out yourkey.pem
回复 原文
你的呼吸 2024-07-31 23:49:20
  • 打开终端。
  • 转到您的证书所在的文件夹。
  • 通过用您的证书替换名称来执行以下命令。

openssl pkcs12 -in YOUR_CERTIFICATE.p12 -out YOUR_CERTIFICATE.pem -nodes -clcerts

  • 希望它能工作!
  • Open terminal.
  • Go to the folder where your certificate is located.
  • Execute below command by replacing name with your certificate.

openssl pkcs12 -in YOUR_CERTIFICATE.p12 -out YOUR_CERTIFICATE.pem -nodes -clcerts

  • Hope it will work!!
回复 原文
嘴硬脾气大 2024-07-31 23:49:20

使用 p11-kit(在 CentOS 7 上可用)

给定的 crt 文件位于 /etc/ssl/certs/ 中:

p11-kit extract --format=pem-directory /tmp/pem-files

每个 crt 文件的 pem 文件将被放置在指定的目录中(该命令将创建该目录)。

Using p11-kit (available on CentOS 7)

Given crt files are in /etc/ssl/certs/:

p11-kit extract --format=pem-directory /tmp/pem-files

A pem file for each crt file will be placed in the specified directory (which the command will create).

回复 原文
~没有更多了~

关于作者

待天淡蓝洁白时

暂无简介

0 文章
0 评论
21 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

烙印

文章 0 评论 0

singlesman

文章 0 评论 0

给自己一个微笑

文章 0 评论 0

独孤求败

文章 0 评论 0

晨钟暮鼓

文章 0 评论 0

我是自愿种绣球花的

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文