Common standards for digital certificates
* accord with PKI ITU-T X509 standard , Traditional standards （.DER .PEM .CER .CRT）
* accord with PKCS#7 Encryption Message Syntax Standard (.P7B .P7C .SPC .P7R)
* accord with PKCS#10 Certificate request standard (.p10)
* accord with PKCS#12 Personal information exchange standard （.pfx *.p12）
X509 Is the basic specification of digital certificate , and P7 and P12 Two implementation specifications ,P7 For digital envelope ,P12 Certificate implementation specification with private key .
Basic certificate format , Public key only .
x509 Certificate consists of user public key and user identifier . Version number is also included , Certificate serial number ,CA identifier , Signature algorithm identification , Issuer name , Certificate validity and other information .
Public Key Cryptography Standards #7.
PKCS#7 Generally, the certificate is divided into two documents , A public key , A private key , Yes PEM and DER Two coding methods .PEM More often , It's plain text , Commonly used to distribute public keys , What you see is a string of visible strings , Usually .crt,.cer,.key Is the file suffix .DER It's binary code .
PKCS#7 It is mainly used for making digital envelope .
Certificate request syntax .
Public Key Cryptography Standards #12.
A file packaging format , Store and publish user and server private keys for , Public key and certificate specify a portable format , Is a binary format , Usually .pfx or .p12 Is the file suffix .
use OpenSSL Of pkcs12 Commands can create , Parse and read these files .
P12 It's about pressing the certificate into a file ,xxx.pfx
. Mainly consider the distribution of certificates , The private key is absolutely confidential , It can't be spread by text . therefore P7 Format not suitable for distribution ..pfx Password protection can be added in , So it's relatively safe .
PKCS Series standard
actually PKCS#7,PKCS#10,PKCS#12 It's all PKCS Part of a series of standards . It's not a substitute relationship , But the definition of different use scenarios .
Certificate code format
PEM and DER Two coding formats .
Privacy Enhanced Mail
View content , with "-----BEGIN..." start , with "-----END..." ending .
see PEM Information about the format certificate ：openssl x509 -in certificate.pem -text -noout
Apache and *NIX The server prefers this encoding format .
Distinguished Encoding Rules
Open to see binary format , unreadable .
see DER Information about the format certificate ：openssl x509 -in certificate.der -inform der -text -noout
Java and Windows The server prefers this encoding format .
Various suffix meanings
There is no inevitable relationship between the content of the document and the suffix , But these suffixes are generally used to indicate what kind of file it is .
Java Key Store(JKS).
Certificate request file (Certificate Signing Request).
This is not a certificate , It is an application to obtain a signing certificate from an authoritative certification authority , Its core content is a public key ( Of course, there are some other personal information attached ).
How to view ：openssl req -noout -text -in my.csr,DER Format words plus -inform der.
Generally refers to use DER Certificate in format .
Certificate file . It could be PEM format .
Usually used to store a public key or private key .
see KEY Methods ：openssl rsa -in mykey.key -text -noout
If it is DER Format words , It should be the same ：openssl rsa -in mykey.key -text -noout -inform der
This is the use of RSA Algorithm generated key Look at it like this ,DSA Use of algorithm generation dsa parameter .
Certificate revocation list (Certification Revocation List), Is a signature data structure containing a list of revoked certificates .