Recently, I need to use APNs push in iOS in my project, but my iOS colleague (Chun Ge) only gave me two p12 files. Suddenly I found that the certificate conversion problem is quite common, such as payment development before. In the program, the certificate in pem format is actually needed, so the conversion between certificates is involved. Since private keys and certificates can be stored in different formats, this means we need to convert them. The most commonly used formats are as follows, first the format of the certificate:
Then the corresponding private key format is:
Having said so much, we can find that the conversion between private keys is much simpler, and can only be converted between DER and PEM formats. Compared with the conversion between certificates, it is slightly more complicated. If you are interested, you can also check out my other article PKI format standard to see its concept. Here, we need to extract the private key and certificate from the PKCS#12 format file. Let's start with the conversion between PEM and DER formats: PEM and DER conversion The conversion between PEM and DER format certificates can be done using the x509 tool provided by OpenSSL. Below we convert a DER format certificate to PEM:
Here, we use the -inform parameter to specify the input format as DER, the -in parameter to specify the input file name, and then the corresponding -outform and -out are used to specify the output format and file name. Similarly, we can also convert an integer in PEM format to DER format:
Next, let's see how to extract the private key and certificate from the PKCS#12 format. PKCS#12 Conversion We can use the pkcs12 command provided by OpenSSL to implement the PKCS#12 format operation. First, we export the certificate and private key to PEM format:
Here, we specify the name of the incoming file through the -in parameter, the -out file specifies the name of the output file, and the -nodes parameter indicates that the private key is not encrypted. In this process, we need to enter the password for signing. If we do not add the -nodes parameter, the result will be as follows:
As you can see, after the signature is successfully verified, we need to re-enter the new encryption password. In the exported file, you can see that the content of the file is:
The result after adding -nodes is:
After that, we can use an editor to open the output key.pem file and manually split them into independent private key, certificate and intermediate certificate files. As programmers, most people are lazy. Can this tedious operation be simplified and let the machine do it itself? In fact, it is possible to do so. Such operations are provided in OpenSSL. Let's first look at the operation of not exporting the certificate, so that we can get the private key:
As you can see, we added an extra parameter -nocerts here to avoid exporting the certificate. Then the operation of not exporting the private key should be as follows:
Next, how do we export the PEM format certificate and private key to PKCS#12 format? We can do this:
The -name option specifies the friendlyName in the certificate, and the -certfile specifies the file name of the trust chain. Finally, we can also specify whether to export only the client and CA certificates through the -clcerts and -cacerts options. PKCS#7 Conversion To convert PEM to PKCS#7, we can use the crl2pkcs7 command.
Then, the generated file header will start with -----BEGIN PKCS7-----. Finally, to convert PKCS#7 to PEM, we can use the pkcs7 command:
Here, we use the -print_certs parameter to output the input certificates. PKCS#8 and SSLeay conversion If we want to convert a private key in PKCS#8 format to SSLeay format, we can do this:
At this point the file contents will look like this:
You can see that the word RSA is added to the header and the tail. If we want to convert the traditional SSLeay private key to PKCS# format, we need to use the pkcs8 command:
By default, an encryption process is performed for this format, but we can use the -nocrypt parameter to prevent it from being encrypted:
So we can convert the traditional SSLeay format to PKCS#8 format. Generating certificates in APNs Next, we will generate the certificate required for APNs push.
We first export only the client's certificate, then the private key, and finally we merge the contents of the two files into one file. |
<<: Four challenges you must consider when developing IoT devices
“Can rice water replace breast milk and formula w...
Source code introduction: Through the call of cod...
Some anchors and guilds are keen on increasing th...
The article breaks down the top ten most popular ...
Written in front Momo is a pan-entertainment soci...
One of the eternal themes of human spaceflight is...
It’s Valentine’s Day again. Have your friends in ...
After verification in recent years, influencer ma...
[[152876]] With the development of mobile Interne...
In general, I think, first of all, you must dare ...
In mid-2017, we entered the Douyin platform to te...
The case is this: An e-commerce company that sell...
In this article, I will briefly summarize my past...
Ferrari has always been synonymous with top-level...
This spring, Zhang Ying, a senior laboratory tech...