Certificate

Ref.

Concepts

Private Key
Public Key
CSR (certificate signing request)
CA (Certificate Authority)
Signed Certificate
Algorithm && Format

P12, DER, PEM

Comparison of .p12, .der, .pem, and .jks Formats
Attribute	.p12 (PKCS#12)	.der (Distinguished Encoding Rules)	.pem (Privacy-Enhanced Mail)	.jks (Java KeyStore)
Encoding Format	Binary	Binary	Base64 (ASCII text)	Binary
Readability	Not human-readable	Not human-readable	Human-readable	Not human-readable
File Extensions	.p12, .pfx	.der, .cer	.pem, .crt, .cert, .key	.jks
Contents Supported	Can contain a full certificate chain, private keys, and public keys	Can contain a single certificate, public key, or private key (but typically only one at a time)	Can contain certificates, private keys, public keys, and chains (multiple items can be included in one file)	Can contain multiple certificates and private keys; primarily used to store private keys and their associated certificate chains
Typical Usage	Storing certificate + private key pairs, commonly used on Windows and in Java applications	Used in Java and Windows environments; preferred in binary format where space is critical	Widely used on web servers and with OpenSSL, preferred for interoperability across systems	Used by Java applications to manage keys and certificates, particularly for SSL/TLS connections
Compatibility	Used by Java applications, Windows (as .pfx), and some Linux systems	Common in Java and some legacy systems that require binary encoding	Common across most web servers (Apache, Nginx), OpenSSL, and Linux systems	Primarily compatible with Java applications and libraries; requires conversion for non-Java systems
Structure	Stores multiple objects in a single encrypted file	Contains a single object, typically only one certificate or key	Contains multiple objects if necessary; marked with headers like "-----BEGIN CERTIFICATE-----"	Stores multiple entries (e.g., private keys, public certificates, and trusted certificates) under unique aliases within a single file
Headers	No headers (binary)	No headers (binary)	Has headers, such as "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----"	No headers (binary)
Password Protection	Yes	No (typically)	No (typically)	Yes
Conversion Tools	openssl, keytool	openssl can convert to/from .pem format	openssl can convert to .der or .p12 formats	keytool can convert between .jks and .p12 formats; OpenSSL is not compatible with .jks files directly

Life Certifictes

openssl x509 -in <certificate_file> -text -noout
openssl x509 -inform der -in <certificate_file.der> -text -noout

OpenSSL

openssl req -new -x509 -days 365 -keyout ca.key -out ca.crt                                           ### Generating new Encrypted private key to 'ca.key' and certificate to 'ca.crt'
openssl genrsa -out broker.key 2048.                                                                  ### Generating new RSA private key to 'broker.key'
openssl req -new -key broker.key -out broker.csr                                                      ### Generating new Certificate Signing Request to 'broker.csr'
openssl x509 -req -in broker.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out broker.crt -days 100   ### Pass the Certificate Signing Request (csr) file to validation authority.
openssl x509 -noout -text -in broker.crt                                                              ### Check the contents of a certificate

openssl x509 -outform der -in cert-file.pem -out cert-file.crt             ### convert pem to crt
openssl rsa -in private.pem -out private_new.pem                           ### remove passphrase from private key

Keystore

Ref.

https://www.sslshopper.com/article-most-common-openssl-commands.html
https://www.baeldung.com/java-keystore
http://tutorials.jenkov.com/java-cryptography/keytool.html
JKS (Java KeyStore) and PKCS12 certificates

init.

-keystore and a truststore are used when application needs to communicate over SSL/TLS.
-The default keystore-format used until Java 8 is JKS.
-The default keystore-format used since Java 9 is PKCS12.

Keytool

https://docs.oracle.com/en/java/javase/13/docs/specs/man/keytool.html

DNAME="CN=Samer Hijazi, OU=Hijazi-Apps, O=Hijazi-Apps, L=Germany, ST=DE, C=DE"
FILE_NAME=file.jks
PASSWORD=password
ALIAS=cert

keytool -genkey -alias $ALIAS -keyalg RSA -keysize 2048 -storetype JKS -dname $DNAME -keystore $FILE_NAME -storepass $PASSWORD   ### Create Keystore & key pair (public key/private key)
keytool -list -keystore $FILE_NAME -storepass $PASSWORD   ### List Keystore Entries
keytool -exportcert -alias $ALIAS -rfc -keystore keystore99.jks -storepass password

### Convert JKS to the PKCS12 format
keytool -importkeystore -srckeystore identity.jks -srcstorepass storepassword -srckeypass keypassword -srcalias notebook -destalias notebook -destkeystore identity.p12 -deststoretype PKCS12 -deststorepass password -destkeypass password
openssl pkcs12 -in keystore_name.p12 -nodes -nocerts -out private.key
openssl pkcs12 -in keystore_name.p12 -nokeys -out public-cert-file

Keystore

### migrate to PKCS12 which is an industry standard format
keytool -importkeystore -srckeystore source.jks -destkeystore keystore.jks -deststoretype pkcs12
keytool -importkeystore -srckeystore source.jks -srcstorepass $password -destkeystore destination.jks -deststorepass password -deststoretype JKS -destkeypass $password -noprompt
keytool -list -v -keystore keystore.jks   ### Check which certificates are in a Java keystore
keytool -list -v -keystore keystore.jks -alias mydomain   ### Check a particular keystore entry using an alias

Convert a PKCS12 file to a JKS file.

keytool -importkeystore -srckeystore <keystore.p12> -srcstoretype PKCS12 -srcstorepass <password> -destkeystore <keystore-NEW.jks> -deststoretype JKS -deststorepass <password>

Convert a PKCS12 file to PEM files.

openssl pkcs12 -in file.p12 -out newfile.crt.pem -clcerts -nokeys   ## certificate 
openssl pkcs12 -in file.p12 -out newfile.key.pem -nocerts -nodes    ## private key

Import Keys to Keystore. Import keystore to another Keystore

keytool -importcert -file your_certificate.crt -keystore your_keystore.p12 -storetype PKCS12 -alias your_alias
keytool -importcert -file your_certificate.crt -keystore your_keystore.p12 -storetype PKCS12 -alias your_alias -importkeystore -srckeystore your_private_key.key -srcstoretype PEM -srcalias your_private_key_alias
openssl pkcs12 -export -in your_certificate.crt -inkey your_private_key.key -name your_alias -out your_keystore.p12

Entcrypt

gpg -c --batch --passphrase mypassword file.csv -o file.csv.gpg
gpg -d --batch --passphrase mypassword file.csv.gpg -o file.csv

openssl enc -aes-256-cbc -salt -in keystore.jks -out keystore.enc -k $KEYSTORE_PASSWORD
openssl enc -d -aes-256-cbc -in keystore.enc -out keystore.jks -k $KEYSTORE_PASSWORD

XXXX

PEM (Privacy-Enhanced Mail)
- File Extensions: Commonly .pem, .crt, .cert, .key.
- Contents: PEM files can store certificates, certificate chains, private keys

DER (Distinguished Encoding Rules)
- File Extensions: Commonly .der or .cer
- Contents: Can store certificates, public keys, and private keys, but as a binary format

openssl x509 -inform der -in $file.der -out $file.pem                                                     ### Convert DER to PEM
openssl x509 -inform pem -in $file.pem -out $file.der                                                     ### Convert PEM to DER
openssl pkcs12 -export -in $file.pem -inkey $key.pem -out $file.p12 -name "myalias" -passout pass:$PASS   ### Convert PEM to P12 (PKCS#12)
openssl pkcs12 -in $file.p12 -out $file.pem -nodes                                                        ### Convert P12 to PEM
cat $file.b64 | base64 -d > $file.pem                                                                     ### Convert base64 to pem
cat file-1.pem file-2.pem fole-3.pem > file-combined.pem                                                  ### Mirage multie chain certifictes

### Create an empty keystore
keytool -genkey -alias dummy -keystore keystore.jks -storepass $PASS -keypass $PASS -keyalg RSA -dname "CN=dummy"

### Import an DER/PEM file in keystore (Only a Certificate without a Private Key)
keytool -import -trustcacerts -alias $ID -file file.pem -keystore keystore.jks -storepass $PASS

### Import a .p12 (PKCS12) keystore into a Java KeyStore (.jks):
keytool -importkeystore -srckeystore file.p12 -srcstoretype PKCS12 -srcstorepass $PASS -alias $ID -destkeystore keystore.jks -deststoretype JKS -deststorepass $PASS -destalias $ID

### Import/copy all entries (keys and certificates) from one Java KeyStore (source.jks) to another Java KeyStore (destination.jks)
keytool -importkeystore -srckeystore source.jks -srcstorepass $PASS -destkeystore destination.jks -deststorepass $PASS -noprompt

### Convert type from/to jks/pkcs12
keytool -importkeystore -srckeystore source.jks -srcstorepass $PASS -srcstoretype PKCS12 -destkeystore destination.jks -deststoretype jks -deststorepass $PASS -noprompt
keytool -importkeystore -srckeystore source.jks -srcstorepass $PASS -srcstoretype jks -destkeystore destination.jks -deststoretype pkcs12 -deststorepass $PASS -noprompt

IT-SDK-Security

Contents

Certificate

Ref.

Concepts

P12, DER, PEM

Life Certifictes

OpenSSL

Keystore

Ref.

init.

Keytool

Keystore

Entcrypt

XXXX

Navigation menu

Personal tools

Namespaces

Variants

Views

More

Search

Navigation

Samer

Tools