DEV Community: hobbyist-programmer-ar

PEM, DER, PFX, CER, CRT, and CSR for connecting to servers

hobbyist-programmer-ar — Sat, 05 Apr 2025 12:46:23 +0000

Hey All
Following my recent obsession with the the certificates and private key used to communicate between server and a client I am writing this post about my understanding of what the file extension we use as a backend engineer trying to connect to various server like kafka.

CER and CRT

The CER file is used to store information about the owner certificate and the specific public key. These files can hold only one certificate(x509) at max and it does not have the capacity to hold the private key. The specifically secured certificate authorities are those which belong to HTTPS, a trusted and secured protocol for browsing.The CER is a certificate of your server. It is usually received by the certificate authority for the domain. CER is mostly considered the same as CRT, although both are the same format of SSL certificate but are different filename extensions. The file can be generated by the above mentioned CA or we can generate it on our own which is also called an Self Signed Certificate. The self signed certificates are only intended for local development and testing. Incase we need to use it in production out in the real world we need to have it signed by a certificate authority.

Difference between CER and CRT

File Extensions: The most noticeable difference is the file extensions themselves: CER and CRT. This might seem insignificant, but it can cause compatibility issues with certain software or systems.
Usage and Convention: While both file types contain the same information, the CER extension is often used for security files installed in various operating systems. CRT is frequently associated with certificates that are specifically part of SSL/TLS implementations.
Operating System Compatibility: Some operating systems have preferences for one format over the other. For instance, Windows systems might prefer CER files, while UNIX/Linux systems prefer CRT files. ### Converting CRT to CER and Vice Versa #### CRT to CER

openssl x509 -in inputFile.crt -out outputFile.cer

CER to CRT

openssl x509 -inform der -in certificate.cer -out certificate.crt

CSR

A Certificate Signing Request(CSR) is the precursor of the certificate. It is usually generated on the same server you are planning to install your certificate on. The CSR contains information about the Common name, Organization, Country etc. which is used by the Certificate Authority to create your certificate. One a Self signed certificate we would be creating our own Certificate(CER or CRT) from the CSR. We generally used the Private Key to generate the CSR

Data stored in the CSR

Information about your website you’re trying to equip with SSL
1. Common Name : The fully qualified domain name (FQDN) of your server.
2. Organization : The legal name of your organization. Do not abbreviate and include any suffixes, such as Inc., Corp., or LLC.
3. Organizational Unit : The division of your organization handling the certificate.
4. City/Locality : The city where your organization is located. This shouldn’t be abbreviated.
5. State/County/Region :The state/region where your organization is located. This shouldn't be abbreviated.
6. Country : Two-letter country code where organization is located.
7. Email Address : Email address used to contact your organization.
The public key that will be included in the certificate.
1. Since the SSL use Assymetric keys to encrpyt the data transmitted suring the SSL session the public key is included in the CSR
2. The Public key is used to encrypt the message and the private key is used to decrypt it.
Information about the key type and length
1. Used to carry information about the key wether its RSA 2048 or ECC.

PFX

PFX is a password protected file certificate commonly used for code signing you app. It derives from the PKCS 12 Archive File format certificate. The PFX files generally holds the below contents

x509 public key certificates
x509 private keys
Intermediate Certificate (Optional) Establish a chain of trust from the certificate to a trusted root certificate.

Convert CER to PFX

openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.cer -certfile CACert.cer

Convert PEM to PFX

openssl pkcs12 -export -out Cert.p12 -in cert.pem -inkey key.pem -passin pass:root -passout pass:root

I'll be covering what an PKCS is in a separate post.

PEM

PEM - Privacy Enhanced Email. It is the most common forat for x509 certificates. It contains one or more formats in a Base64 ASCII encoding each with a plain text header and footer (-----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----). A single PEM file could contain an end-entity certificate, a private key, or multiple certificates forming a complete chain of trust. Most certificate files downloaded from SSL.com will be in PEM format.

Convert DER to PEM

openssl x509 -inform der -in certificate.cer -out certificate.pem

DER

DER (Distinguished Encoding Rules) is a binary encoding for x509 certificates and private keys. Unlike PEM, DER-encoded files do not contain plain text statements such as -----BEGIN CERTIFICATE-----. DER files are most commonly seen in Java contexts.

Convert PEM to DER and Certificates

Convert PEM to DER

openssl rsa -in <file_with_key> -out <new_der_key_file> -outform DER
openssl rsa -in <file_with_key> -inform PEM -out <new_der_key_file> -outform DER

Convert PEM to Certificate

openssl x509 -in <cert_file> -out <new_der_cert> -outform DER
openssl x509 -in <cert_file> -inform PEM -out <new_der_cert> -outform DER

PEM is a base64 encoded file with where as the DER is the binary form. Since we do not use the headers in the DER file we can distinguish between different objects and hence DER can only store one object where as a PEM has simple headers and footers which allows us to distinguish and store multiple objects

Generating a Self Signed ECC Certificate and Private Key and Validating the same

hobbyist-programmer-ar — Thu, 03 Apr 2025 17:09:13 +0000

Creating my Own Self Signed ECC Certificate

Hey All
This is a continuation for the last post where I mentioned the steps to generate and validate a RSA Certificate and Private Key. Here I wanted to add the steps to create and validate an Certificate and Private key that uses ECC.

Create a ECC Cert and Private Key.
Validate an ECC Cert and Private Key Pair

Create a ECC Cert and Private Key

Generating a Private Key This command generates an ECC private key using the prime256v1 curve and saves it to a file.

openssl ecparam -name prime256v1 -genkey -noout -out ecc_private_key.pem

openssl → The command-line tool for cryptographic operations.
ecparam → This tells OpenSSL that we are working with Elliptic Curve parameters.
-name prime256v1 → Specifies the elliptic curve to use.
prime256v1 is the same as secp256r1, which is a widely used and secure curve.

You can list available curves using:
openssl ecparam -list_curves

-genkey → Generates a new private key based on the selected curve.
-noout → Prevents OpenSSL from printing the EC parameters to the output (keeps output clean).
-out ecc_private_key.pem → Saves the generated private key to a file named ecc_private_key.pem.

Generating a CSR OpenSSL will ask for identity details (like domain name, organization, location). The output file ecc_csr.pem contains:
Your public key
Your identity information
A digital signature using your private key

openssl req -new -key ecc_private_key.pem -out ecc_csr.pem

req → This tells OpenSSL we are working with a certificate request.
-new → Creates a new CSR (Certificate Signing Request).
-key ecc_private_key.pem → Uses the previously generated ECC private key.
-out ecc_csr.pem → Saves the CSR to a file named ecc_csr.pem.

Generate a Self Signed Cert A self-signed certificate is useful for testing but isn't trusted by browsers or CAs. If you're using it for a personal system or internal network, it's fine. Otherwise, you'll need a CA-signed certificate.

openssl req -x509 -key ecc_private_key.pem -days 365 -out ecc_certificate.pem

req → Again, we're working with a certificate request.
-x509 → This tells OpenSSL to create a self-signed certificate instead of a CSR.
-key ecc_private_key.pem → Uses your ECC private key to sign the certificate.
-days 365 → Specifies the validity period (365 days = 1 year).
-out ecc_certificate.pem → Saves the self-signed certificate as ecc_certificate.pem.
Verify the Private Key This command lets you inspect the ECC private key, showing:
The chosen elliptic curve.
The private key value (big number).
The public key (derived from the private key).

openssl ec -in ecc_private_key.pem -noout -text

ec → This tells OpenSSL that we are working with an Elliptic Curve (EC) private key.
-in ecc_private_key.pem → Specifies the input file (your private key).
-noout → Prevents OpenSSL from printing the key in PEM format.
-text → Prints the private key details in human-readable form.
Verify the Certificate
Shows certificate details: issuer, subject, validity, public key, signature.
Verifies that the certificate was correctly generated.

openssl x509 -in ecc_certificate.pem -noout -text

x509 → Specifies that we are working with an X.509 certificate.
-in ecc_certificate.pem → Reads the self-signed certificate.
-noout → Prevents OpenSSL from outputting the raw certificate in PEM format.
-text→ Prints detailed certificate information in human-readable format.

Verify the ECC Cert and Private Key Pair

Command to extract the Key value pair

openssl pkey -in ecc_private_key.pem -pubout -outform pem | sha256sum
openssl x509 -in ecc_certificate.pem -pubkey -noout -outform pem | sha256sum

openssl pkey → Works with private keys.
-in ecc_private_key.pem → Reads the private key file.
-pubout → Extracts the public key from the private key.
-outform pem → Outputs the public key in PEM format.
openssl x509 → Works with X.509 certificates.
-in ecc_certificate.pem → Reads the certificate file.
-pubkey → Extracts the public key from the certificate.
-noout → Prevents the certificate details from being printed.
-outform pem → Outputs the public key in PEM format.
sha256sum → Computes a SHA-256 hash of the public keys.
If the hash values match, it means the private key and certificate belong to the same key pair.
If the hash values don’t match, then the certificate does not correspond to the private key.

Creating a Self Signed Certificate and Verifying the Private Key and Certificate

hobbyist-programmer-ar — Sat, 22 Mar 2025 15:49:26 +0000

Hey all

I wanted to share one of the issue I faced at work this week and the steps I did to debug this issues. The issue mostly revolved around the keystore that we use in our application and it was a simple issue that took us around two days to figure out. It was a simple issue where we used the wrong private key and certificate combination and was overlooked with led to two days of unnecessary work. I am sharing some of the steps I did to figure it out which could be useful for you the next time. I am writing this post as two parts.

Part 1: You create your own ssl certificates
Part 2: You debug the certificate to see if the PK and Cert matches

Part 1 : Creating my own Self Signed Certificate

Creating a Private Key

To create a new Private key in the PKCS#1 format execute the below command

# openssl genrsa -des3 -out key_name.key key_strength
openssl genrsa -des3 -out private_key.key 2048

Creating a Certificate Signing Request

To Create a new certificate signing request with the above private key execute the following command

# openssl genrsa -des3 -out key_name.key key_strength
openssl req -new -key private_key.key -out certificate_signing_request.csr

Note : Your certificate signing request is not your actual cert. It only contains the information which is needed to generate a certificate based on your private key

Creating a Certificate

Execute the below command to get a certificate out of the csr we created above

openssl x509 -req -in certificate_signing_request.csr -signkey private_key.key -out certificate.crt

Creating a Keystore out of the JKS

In order to add the certificates to a key store the following command is required

Convert your certificate and private key in to a PKCS12(.p12 of .pfx) file using the below command

openssl pkcs12 -export -out keystore_pkcs.p12 -inkey private_key.key -in certificate.crt -name "faustus" -password pass:bulgogi

Once the pkcs is created we can create the jks out of it using the below command

keytool -importkeystore -srckeystore keystore_to_test.p12 -srcstoretype PKCS12 -srcalias faustus -srcstorepass bulgogi2902 -destkeystore dest_ks.jks -deststoretype JKS -deststorepass bulgogi2902 -destalias fausto

The keystore can be check with the following command to list the contents

keytool -list -v -keystore dest_ks.jks -storepass bulgogi2902

Part 2 : Validating the SSL Certificates

Checking the private Key

openssl rsa -in [key-file.key] -check -noout

The above command lets us know if the private key has been tampered with
Some of the faulty responses are

RSA key error : p not prime
RSA key error : n does not equal p q
RSA key error : d e not congruent to 1
RSA key error : dmp1 not congruent to d
RSA key error : iqmp is not inverse of q

Incase the private key is not tampered with we can get the following response

RSA key ok

Confirm the Modulus Value Matching with Private Key and SSL/TLS certificate Key Pair

The modulus of the private key and the certificate must match exactly

To view the certificate modulus

openssl x509 -noout -modulus -in [certificate-file.cer]

To view the private key modulus

openssl rsa -noout -modulus -in [key-file.key]

Perform Encryption with Public Key from certificate and Decryption with Private Key

Get public key from the certificate

openssl x509 -in [certificate-file.cer] -noout -pubkey > certificatefile.pub.cer

Encrypt test.txt file content using the public key. Create a new file called test.txt file with the content "message test". Perform the following command to create an encrypted message to cipher.txt file.

openssl pkeyutl -encrypt -in test.txt -pubin -inkey certificatefile.pub.cer -out cipher.txt

Decrypt from cipher.txt using the private key

openssl  pkeyutl  -decrypt -in cipher.txt -inkey [key-file.key]

Confirming the integrity of file which is signed with private key. Perform following command to sign test.sig and test.txt file with your private key

openssl dgst -sha256 -sign  [key-file.key] -out test.sig test.txt

Verify the signed files with your public key that was extracted from step 1. Get public key from certificate.

openssl dgst -sha256 -verify certificatefile.pub.cer -signature test.sig test.txt

The output from the terminal should show the below message
verified ok
Incase the private key has been tampered with the following message will appear
Verification Failure

Like most post this is just information I compiled from different source to one post so that it could be a one stop shop. Hopefully this help you solve the issues or at least put you on the right path.