Using OpenSSL to convert private keys and certificates

[[171102]]

Recently, I need to use APNs push in iOS in my project, but my iOS colleague (Chun Ge) only gave me two p12 files. Suddenly I found that the certificate conversion problem is quite common, such as payment development before. In the program, the certificate in pem format is actually needed, so the conversion between certificates is involved.

Since private keys and certificates can be stored in different formats, this means we need to convert them. The most commonly used formats are as follows, first the format of the certificate:

• A binary DER certificate, containing the X.509 certificate in raw format, encoded using DER ASN.1.
• An ASCII PEM certificate contains a base64-encoded DER certificate that starts with -----BEGIN CERTIFICATE----- and ends with -----END CERTIFICATE-----.
• PKCS#7 certificate, a complex format designed for transmitting signed or encrypted data, defined in RFC 2315. Usually has .p7b and .p7c as suffixes and can contain the entire certificate chain. This format is supported by Java's keytool tool.
• PKCS#12 (PFX) certificates and private keys, a complex format that can store and protect a server's private key and a complete certificate chain. It usually ends with .p12 and .pfx. This format is commonly used in Microsoft products, but can also be used for client certificates.

Then the corresponding private key format is:

• A binary DER private key, containing a private key in raw form, encoded using DER ASN.1. OpenSSL creates private keys in its traditional SSLeay format, but can also use another, less widely used format called PKCS#8 (defined in RFC 5208). The pkcs8 command can be used in OpenSSL to perform operations in PKCS#8 format.
• A private key in ASCII format, containing a base64-encoded DER private key, and sometimes with additional meta information, such as the algorithm used for password protection.

Having said so much, we can find that the conversion between private keys is much simpler, and can only be converted between DER and PEM formats. Compared with the conversion between certificates, it is slightly more complicated.

If you are interested, you can also check out my other article PKI format standard to see its concept.

Here, we need to extract the private key and certificate from the PKCS#12 format file. Let's start with the conversion between PEM and DER formats:

PEM and DER conversion

The conversion between PEM and DER format certificates can be done using the x509 tool provided by OpenSSL. Below we convert a DER format certificate to PEM:

 sky@sky-pc:~$ openssl x509 -inform DER - in private_key.der -outform PEM - out private_key.pem

Here, we use the -inform parameter to specify the input format as DER, the -in parameter to specify the input file name, and then the corresponding -outform and -out are used to specify the output format and file name.

Similarly, we can also convert an integer in PEM format to DER format:

 sky@sky-pc:~$ openssl x509 -inform PEM - in private_key.pem -outform DER - out private_key.der

Next, let's see how to extract the private key and certificate from the PKCS#12 format.

PKCS#12 Conversion

We can use the pkcs12 command provided by OpenSSL to implement the PKCS#12 format operation. First, we export the certificate and private key to PEM format:

 sky@sky-pc:~$ openssl pkcs12 - in   key .p12 - out   key .pem -nodes
 Enter Import Password :
 MAC verified OK

Here, we specify the name of the incoming file through the -in parameter, the -out file specifies the name of the output file, and the -nodes parameter indicates that the private key is not encrypted. In this process, we need to enter the password for signing.

If we do not add the -nodes parameter, the result will be as follows:

 sky@sky-pc:~$ openssl pkcs12 - in   key .p12 - out   key.pem​
 Enter Import Password :
 MAC verified OK
 Enter PEM pass phrase:
 Verifying - Enter PEM pass phrase:

As you can see, after the signature is successfully verified, we need to re-enter the new encryption password. In the exported file, you can see that the content of the file is:

 ...
 -----BEGIN ENCRYPTED PRIVATE KEY-----  
 MIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIPdUUocbjDXUCAggA
 ...
 -----END ENCRYPTED PRIVATE KEY-----  

The result after adding -nodes is:

 ...
 -----BEGIN PRIVATE KEY-----  
 MIIEvwIBADANBgkqhkiG9w0BAQEFAAASCBKkwggSlAgEAAoIBAQC+QDKKakQ0fcvH
 ...
 -----END PRIVATE KEY-----  

After that, we can use an editor to open the output key.pem file and manually split them into independent private key, certificate and intermediate certificate files.

As programmers, most people are lazy. Can this tedious operation be simplified and let the machine do it itself?

In fact, it is possible to do so. Such operations are provided in OpenSSL. Let's first look at the operation of not exporting the certificate, so that we can get the private key:

 sky@sky-pc:~$ openssl pkcs12 - in   key .p12 -nocerts - out private_key.pem -nodes
 Enter Import Password :
 MAC verified OK

As you can see, we added an extra parameter -nocerts here to avoid exporting the certificate. Then the operation of not exporting the private key should be as follows:

 sky@sky-pc:~$ openssl pkcs12 - in   key .p12 -nokeys - out cert.pem -nodes 
 
 Enter Import Password : 
 
 MAC verified OK

Next, how do we export the PEM format certificate and private key to PKCS#12 format? We can do this:

 sky@sky-pc:~$ openssl pkcs12 - name   "My Certificate" -export - out fd.p12 -inkey key .pem - in cert.pem -certfile fd-chain.crt 
 
 Enter Export Password : 
 
 Verifying - Enter Export Password :

The -name option specifies the friendlyName in the certificate, and the -certfile specifies the file name of the trust chain.

Finally, we can also specify whether to export only the client and CA certificates through the -clcerts and -cacerts options.

PKCS#7 Conversion

To convert PEM to PKCS#7, we can use the crl2pkcs7 command.

 sky@sky-pc:~$ openssl crl2pkcs7 -nocrl - out   key .p7b -certfile cert.pem -certfile fd-chain.crt

Then, the generated file header will start with -----BEGIN PKCS7-----.

Finally, to convert PKCS#7 to PEM, we can use the pkcs7 command:

 sky@sky-pc:~$ openssl pkcs7 - in   key .p7b -print_certs - out key1.pem

Here, we use the -print_certs parameter to output the input certificates.

PKCS#8 and SSLeay conversion

If we want to convert a private key in PKCS#8 format to SSLeay format, we can do this:

 sky@sky-pc:~$ openssl rsa - in   key .pem - out ssleay.pem 
 
 writing RSA key  

At this point the file contents will look like this:

 -----BEGIN RSA PRIVATE KEY-----   
 
 MIIEpQIBAAKCAQEAvkAyimpENH3Lx4d8VH96XCYfKfCZ7qVtNuVseAvkSTC0q5dw 
 
 ... 
 
 -----END RSA PRIVATE KEY-----  

You can see that the word RSA is added to the header and the tail.

If we want to convert the traditional SSLeay private key to PKCS# format, we need to use the pkcs8 command:

 sky@sky-pc:~$ openssl pkcs8 -topk8 - in ssleay.pem - out pkcs8_key.pem 
 
 Enter Encryption Password : 
 
 Verifying - Enter Encryption Password :

By default, an encryption process is performed for this format, but we can use the -nocrypt parameter to prevent it from being encrypted:

 sky@sky-pc:~$ openssl pkcs8 -topk8 -nocrypt - in ssleay.pem - out pkcs8_key.pem

So we can convert the traditional SSLeay format to PKCS#8 format.

Generating certificates in APNs

Next, we will generate the certificate required for APNs push.

 sky@sky-pc:~$ openssl pkcs12 - in cer.p12 -clcerts -nokeys - out cert.pem -nodes
 Enter Import Password :
 MAC verified OK
 sky@sky-pc:~$ openssl pkcs12 - in cer.p12 -nocerts - out   key .pem -nodes
 Enter Import Password :
 MAC verified OK
 sky@sky-pc:~$ cat cert.pem key .pem > certs.pem

We first export only the client's certificate, then the private key, and finally we merge the contents of the two files into one file.