Skip to content

CA

Jump to bottom
Bill Quith edited this page Nov 2, 2021 · 2 revisions

Create certificates for SSL certification

E.g. to set up Apache2 mod_SSL for HTTPS

Create pfx and then extract the necessary certs from it. Note:

  • Chrome require min size RSA of 2048
  • Chrome ignore CN and requires SAN (Subject Alternative Name) article extract certs

To extract certs:

sudo openssl pkcs12 -in server.pfx -nocerts -out server.pem -nodes

sudo openssl pkcs12 -in server.pfx -clcerts -nokeys -out nswarm.crt

sudo openssl pkcs12 -in server.pfx -nocerts -out server.key

# make correct format
sudo openssl rsa -in server.key -outform PEM -out server.pem.key

sudo openssl pkcs12 -in server.pfx -cacerts -nokeys -out server_cabundle.pem

X.509 Certificate Filename Extensions

Technically, all SSL certificates are regarded as types of X.509 certificates. These digital certificates have different filename extensions and formats. Here’s a brief overview of several common filename extensions:

  • .pem — This is a (Privacy-enhanced Electronic Mail) Base64 encoded DER certificate, enclosed between “—–BEGIN CERTIFICATE—–” and “—–END CERTIFICATE—–“
  • .cer, .crt, and .der — Although usually in binary DER form, Base64-encoded certificates are also common (see .pem above).
  • .p7b and .p7c — PKCS#7 SignedData structure without data, just certificate(s) or CRL(s).
  • .p12 — PKCS#12 files may contain certificate(s) (public) and private keys (password protected).
  • .pfx — PFX is the predecessor of PKCS#12. This type of file usually contains data in PKCS#12 format (e.g., with PFX files generated in IIS).

Convert CRT to CER

Because CER and CRT files are basically synonymous, they can be used interchangeably by simply changing the extension. So, in case your server requires you to use the .CER file extension, you can convert to .CRT extension easily by implementing the following steps:

  • Double-click on the yourwebsite.crt file to open it into the certificate display.
  • Click on the Details tab, and then select the Copy to file button.
  • Click Next in the certificate wizard.
  • Choose Base-64 encoded X.509 (.CER), and then click on Next.
  • Now, browse to store your file and type in the filename that you want to keep
  • Finally, save the file.

Clone this wiki locally