Format Conversion
If the certificate received by the user from the CA is not in PEM format, it needs to be converted into PEM format. Several common methods for converting certificate formats to PEM format are shown in the following table:
Certificate format | Conversion method |
---|---|
DER-> PEM | Certificate: openssl x509 -inform der -in my-certificate.cer -out my-certificate.pem private key: openssl rsa -inform DER -outform PEM -in my-private-key.der -out my-private-key.pem |
P7B-> PEM | Certificate: openssl pkcs7 -print_certs -in my-certificate.p7b -out my-certificate.pem. From my-certificate.pem, get the content starting with "----- BEGIN CERTIFICATE -----" and ending with "----- END CERTIFICATE -----" as the certificate. Private key: No private key |
PFX-> PEM | Certificate: openssl pkcs12 -in certname.pfx -nokeys -out my-certificate.pem private key: openssl pkcs12 -in certname.pfx -nocerts -out my-private-key.pem -nodes |
Note:
-
If your private key is encrypted, for example, the beginning and end of the private key are ----- BEGIN PRIVATE KEY -----, ----- END PRIVATE KEY ----- or ---- -BEGIN ENCRYPTED PRIVATE KEY -----, ----- END ENCRYPTED PRIVATE KEY -----, or the private key contains Proc-Type: 4, ENCRYPTED, you need to run the following command to convert:
openssl rsa -in old_server_key.pem -out new_server_key.pem
-
The private key needs to match the public key in the server certificate. You can use the following two commands to generate the MD5 value of the private key and the certificate. If they are the same, you can consider that the private key matches the public key in the certificate.
openssl x509 -noout -modulus -in my-certificate.pem | openssl md5 openssl rsa -noout -modulus -in my-private-key.pem | openssl md5