admin – Page 4

DER vs. CRT vs. CER vs. PEM Certificates

Posted on February 4, 2010

Certificates and Encodings

At its core an X.509 certificate is a digital document that has been encoded and/or digitally signed according to RFC 5280.

In fact, the term X.509 certificate usually refers to the IETF’s PKIX Certificate and CRL Profile of the X.509 v3 certificate standard, as specified in RFC 5280, commonly referred to as PKIX for Public Key Infrastructure (X.509).

X509 File Extensions

The first thing we have to understand is what each type of file extension is. There is a lot of confusion about what DER, PEM, CRT, and CER are and many have incorrectly said that they are all interchangeable. While in certain cases some can be interchanged the best practice is to identify how your certificate is encoded and then label it correctly. Correctly labeled certificates will be much easier to manipulat

Encodings (also used as extensions)

.DER = The DER extension is used for binary DER encoded certificates. These files may also bear the CER or the CRT extension. Proper English usage would be “I have a DER encoded certificate” not “I have a DER certificate”.
.PEM = The PEM extension is used for different types of X.509v3 files which contain ASCII (Base64) armored data prefixed with a “—– BEGIN …” line.

Common Extensions

.CRT = The CRT extension is used for certificates. The certificates may be encoded as binary DER or as ASCII PEM. The CER and CRT extensions are nearly synonymous. Most common among *nix systems
CER = alternate form of .crt (Microsoft Convention) You can use MS to convert .crt to .cer (.both DER encoded .cer, or base64[PEM] encoded .cer) The .cer file extension is also recognized by IE as a command to run a MS cryptoAPI command (specifically rundll32.exe cryptext.dll,CryptExtOpenCER) which displays a dialogue for importing and/or viewing certificate contents.
.KEY = The KEY extension is used both for public and private PKCS#8 keys. The keys may be encoded as binary DER or as ASCII PEM.

The only time CRT and CER can safely be interchanged is when the encoding type can be identical. (ie PEM encoded CRT = PEM encoded CER)

Common OpenSSL Certificate Manipulations

There are four basic types of certificate manipulations. View, Transform, Combination , and Extraction

View

Even though PEM encoded certificates are ASCII they are not human readable. Here are some commands that will let you output the contents of a certificate in human readable form;

View PEM encoded certificate

Use the command that has the extension of your certificate replacing cert.xxx with the name of your certificate

openssl x509 -in cert.pem -text -noout
openssl x509 -in cert.cer -text -noout
openssl x509 -in cert.crt -text -noout

If you get the folowing error it means that you are trying to view a DER encoded certifciate and need to use the commands in the “View DER encoded certificate below”

unable to load certificate
12626:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:647:Expecting: TRUSTED CERTIFICATE

View DER encoded Certificate

openssl x509 -in certificate.der -inform der -text -noout

If you get the following error it means that you are trying to view a PEM encoded certificate with a command meant for DER encoded certs. Use a command in the “View PEM encoded certificate above

unable to load certificate
13978:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1306:
13978:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:380:Type=X509

Transform

Transforms can take one type of encoded certificate to another. (ie. PEM To DER conversion)

PEM to DER

openssl x509 -in cert.crt -outform der -out cert.der

DER to PEM

openssl x509 -in cert.crt -inform der -outform pem -out cert.pem

Combination

In some cases it is advantageous to combine multiple pieces of the X.509 infrastructure into a single file. One common example would be to combine both the private key and public key into the same certificate.

The easiest way to combine certs keys and chains is to convert each to a PEM encoded certificate then simple copy the contents of each file into a new file. This is suitable for combining files to use in applications lie Apache.

Extraction

Some certs will come in a combined form. Where one file can contain any one of: Certificate, Private Key, Public Key, Signed Certificate, Certificate Authority (CA), and/or Authority Chain.

Personal

Cute Picture of Kaelum

Posted on February 2, 2010

When you hold a baby near to your face all the time you kind of loose track on how small he really is. My wife is the one that took this picture so I have to give credit to her. Kaelum is just so TINY, I couldn’t help but send this picture.

You can see it at her blog: Devilsangels.net

Personal

The Future of My Son

Posted on January 30, 2010

[mudslide:picasa,0,markgard,5432399194876489713,1,400,center]

So Kaelum decided today that I wasn’t paying enough attention to him and proceed to Munch on My Mac. I often wonder what he will be interested in when he’s older. Only time will tell.

[mudslide:picasa,0,markgard,5432399194876489713,2,400,center]

Tech

Blog Integration

Posted on January 29, 2010

I’ve been trying for some time now to get wordpress to integrate more tightly with Facebook and Twitter. The Few times I’ve tried this before has provided sub optimal results. Right now it’s all working using two different plugins that seem to give me more functionality than I really need.

For Twitter i’m using http://www.joedolson.com/articles/wp-to-twitter/ this enables me to post to twitter, and bit.ly for tracking.

The facebook plugin I’m using is much more complicated than just posting to my wall. It has a much tighter integration with FB. In fact you have to go get a developer’s key to get this to work. The name of this plugin is WPBook. This plugin really embeds WordPress into the facebook canvas.

I hope to be able to share my blog more. I’ve seen how much my wife loves blogging. I hope that I can contribute something more useful than m my usual ramblings of an idiot.

Personal

Chesnye’s Blog

Posted on January 12, 2010

http://www.devilsangels.net/2010/01/day-9/

Just a hi to Chesnye’s Blog.

Personal

Blogging…. Feeling left out?

Posted on January 12, 2010

So my wife has started to blog on a regular basis. I really enjoy reading her stuff and will probably ping back to it here in the future when she pulls out one of her unique gems. I guess this could be a new years resolution to blog more. I really enjoy it, I may do more on the technical side of my life, little nuggets of knowledge about problems that I’ve come across and hopefully some good answers to them.

Going by the mantra that a goal that is not written down is just a wish, I’m going to take a moment to write them down here.

Blog more often.
Lose some weight
Finish paying off the Credit Card Debt
Budget better
Take Lunch to work instead of eating the the cafeteria

PS. There is a secondary reason for this blog. I want to test out a new twitter plug-in. Hope it works.

Personal

Merry Christmas

Posted on December 24, 2009

No, not Happy Holidays. MERRY Freakn’ Christmas. However it seems that it’s a bit funny cause Holiday means Holy Day. Just silly.

Personal

Kaelum Joins the Gardner Clan

Posted on September 18, 2009

On Sept 17, 2009 at 5:36 AM Kaelum Mark Gardner joined our little family. Here’s his story.

My wife, Chesnye, called me at work about 4:30 PM. “I think my water broke.” after a short explanation it really did sound like her water had broke and it was not simply the baby had kicked her bladder and caused a “leak”. I told her I needed to go tell my boss that I was leaving and needed to check on my wife. I also told her that I would call her when I was on my way home. My boss, Mr. Watson, was excited that he had not yet been knocked out of the baby pool; then promptly ejected me from his office with instructions to go take care of my wife.

The drive home was interesting, Chesnye would have killed me had she known how fast I was driving in parts. I wasn’t paying a lot of attention to the speedometer until I saw another car pulled over and decided a speeding ticket would only slow me down. Chesnye was waiting for me on the couch downstairs when I got home. All I had to do was put the dog in the kennel and grab the bag she had packed. We then started the 15 min drive to the hospital (albeit much slower and calmer).

The check-in process at Liberty Hospital is very easy, they have you pre-register a few weeks in advance, so the only thing you have to do when you get here is sign the “Consent to Treat” form. We had called ahead on our way and they had secured us the last room. I felt a little bad for the couple behind us, she was having contractions, and they were scrambling to get a room clean for her. The first nurse that saw us checked Chesnye with a PH strip and confirmed that her water had broke, we were going to be here for the duration. They hooked up the fetal monitors an took her vitals. Everything to this point was going great. Except that she was not contracting very strongly. The fetal monitor was pretty neat, you could tell when the baby kicked because there would be a little spike on the graph.

At 5:30 Dr Morris decided that it was time to help the contractions along and started an IV with Pitocin. The poor nurse couldn’t find Chesnye’s small veins. Luckily, after she dug around in both arms(ouch) finally found a suitable vein in her right hand and placed the IV.

Chesnye’s contractions got continually stronger. She was showing a good contraction pattern, they were getting stronger. At 10:00 PM her back labor got so bad she asked for some IV drugs. The IV drugs worked for about an hour. I was able to catch a few minutes of sleep; Chesnye, however, was not able to sleep but was able to relax for the hour and catch a breather. She’d close her eyes but the contractions kept waking her up. After the drug wore off, the contractions got really intense. She asked for her epidural and Dr. Fox came around 11:00 and placed it. He did an awesome job! We were both able to sleep for a little bit.

The next six hours were pretty uneventful, the nurses increased the Pitocin dosage and her contractions went on at full strength. At 5:00 AM Dr. Morris came in to check on Chesnye. She was not dilating. The decision was made to do a C-Section before the baby were to go into any serious distress. They prepped Chesnye and gave me a set of scrubs to change into and took her to the Operating Room. They said they would come get me when everything was ready to go. Holy crap was that a long wait ( I don’t really think it was that long, just seemed really long).

When I walked into the OR with the nurse it was a little scary, there were blue sterile fields everywhere. The nurse pointed to a stool near Chesnye’s head, that was my spot, I wasn’t to touch anything. The operation began, from my perspective all I could hear was hushed muttering from the OR Doc, and the Nurses. I chatted with the Anesthesiologist, and the Nurse in charge of monitoring all the vitals for a little while. Chesnye was a little out of it and didn’t make for good conversation.

At 5:35 there was a bustle on the other side of the sterile field, nurses were handing instruments around pretty fast, there was a lot of shuffling and at 5:36 a little cry. I never thought that such a little noise could bring such big emotions to the surface. The nurse next to me asked for my camera and snapped some pictures of the doctor cutting the cord. I won’t post those here, those are only for my family’s collection. They took him and cleaned him up a little, cleared out his lungs, and did his measurements. He did not like to be cold. I still think the first thing I noticed is that his brow furrows when he’s mad in the exact same way Chesnye’s does when she’s mad at me.

They got him all wrapped up and handed him to me. I then took him over to my stool and let him meet Chesnye. The rest of the operation took about an hour. All I could do was smile under my mask. My jaw hurt for hours afterward. They got Chesnye all patched up. In the mean time they took a picture, did a slick sheet (footprints) and gave wristbands to baby, me, and Chesnye.

Personal

Hosting Provider

Posted on September 13, 2009

I’ve been looking around at hosting providers for a little while. I love Bluehost, and have been very happy with them. I found a sister company (I even think they use the same data center in Utah) called HostMonster. They were running a deal for 3.95 a month with all the bluehost bells and whistles. So I signed up. So far the only difference has been hostmonster machines seem to be a little more responsive.

Personal

Embarassing Moment

Posted on July 4, 2009

I just had a random recollection of one of my most embarrassing moments.

I was in college and was trying to date a girl from my physics class. I had ridden my bike to campus and physics was our last class of the day. I decided to try and earn brownie points and walk her home. We both walked and had a good time chatting all the way to her apartment. I waked her to her door and said I’d call her later.

Her window overlooked the parking lot where I had parked my bike. I knew she was watching me so I tried to show off by jumping the curb. I missed and crashed right into the curb. I had my laptop in my backpack and was worried about breaking it so I twisted as to not land on my back. The result was me landing on my face. All while this girl was watching.

I picked up my bike an broken pride and went home. We never really dated much after that.