Gtopia

Ramblings of an idiot.

DER vs. CRT vs. CER vs. PEM Certificates

February 4, 2010 12 comments

Certificates and Encodings

At its core an X.509 certificate is a digital document that has been encoded and/or digitally signed according to RFC 5280.

In fact, the term X.509 certificate usually refers to the IETF’s PKIX Certificate and CRL Profile of the X.509 v3 certificate standard, as specified in RFC 5280, commonly referred to as PKIX for Public Key Infrastructure (X.509).

X509 File Extensions

The first thing we have to understand is what each type of file extension is.   There is a lot of confusion about what DER, PEM, CRT, and CER are and many have incorrectly said that they are all interchangeable.  While in certain cases some can be interchanged the best practice is to identify how your certificate is encoded and then label it correctly.  Correctly labeled certificates will be much easier to manipulat

Encodings (also used as extensions)

  • .DER = The DER extension is used for binary DER encoded certificates. These files may also bear the CER or the CRT extension.   Proper English usage would be “I have a DER encoded certificate” not “I have a DER certificate”.
  • .PEM = The PEM extension is used for different types of X.509v3 files which contain ASCII (Base64) armored data prefixed with a “—– BEGIN …” line.

Common Extensions

  • .CRT = The CRT extension is used for certificates. The certificates may be encoded as binary DER or as ASCII PEM. The CER and CRT extensions are nearly synonymous.  Most common among *nix systems
  • CER = alternate form of .crt (Microsoft Convention) You can use MS to convert .crt to .cer (.both DER encoded .cer, or base64[PEM] encoded .cer)  The .cer file extension is also recognized by IE as a command to run a MS cryptoAPI command (specifically rundll32.exe cryptext.dll,CryptExtOpenCER) which displays a dialogue for importing and/or viewing certificate contents.
  • .KEY = The KEY extension is used both for public and private PKCS#8 keys. The keys may be encoded as binary DER or as ASCII PEM.

The only time CRT and CER can safely be interchanged is when the encoding type can be identical.  (ie  PEM encoded CRT = PEM encoded CER)

Common OpenSSL Certificate Manipulations

There are four basic types of certificate manipulations. View, Transform, Combination , and Extraction

View

Even though PEM encoded certificates are ASCII they are not human readable.  Here are some commands that will let you output the contents of a certificate in human readable form;

View PEM encoded certificate

Use the command that has the extension of your certificate replacing cert.xxx with the name of your certificate

openssl x509 -in cert.pem -text -noout
openssl x509 -in cert.cer -text -noout
openssl x509 -in cert.crt -text -noout

If you get the folowing error it means that you are trying to view a DER encoded certifciate and need to use the commands in the “View DER encoded certificate  below”

unable to load certificate
12626:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:647:Expecting: TRUSTED CERTIFICATE

View DER encoded Certificate

openssl x509 -in certificate.der -inform der -text -noout

If you get the following error it means that you are trying to view a PEM encoded certificate with a command meant for DER encoded certs. Use a command in the “View PEM encoded certificate above

unable to load certificate
13978:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1306:
13978:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:380:Type=X509

Transform

Transforms can take one type of encoded certificate to another. (ie. PEM To DER conversion)

PEM to DER

openssl x509 -in cert.crt -outform der -out cert.der

DER to PEM

openssl x509 -in cert.crt -inform der -outform pem -out cert.pem

Combination

In some cases it is advantageous to combine multiple pieces of the X.509 infrastructure into a single file.  One common example would be to combine both the private key and public key into the same certificate.

The easiest way to combine certs keys and chains is to convert each to a PEM encoded certificate then simple copy the contents of each file into a new file.   This is suitable for combining files to use in applications lie Apache.

Extraction

Some certs will come in a combined form.  Where one file can contain any one of: Certificate, Private Key, Public Key, Signed Certificate, Certificate Authority (CA), and/or Authority Chain.

Tech none

Setting up Java with Mozilla the Right way on OpenSuse

March 1, 2013 No comments

Install Java from Oracle

Setup the plugin with this command

sudo /usr/sbin/update-alternatives –install /usr/lib64/browser-plugins/javaplugin.so javaplugin /usr/java/default/lib/amd64/libnpjp2.so 3 –slave /usr/bin/javaws javaws /usr/java/default/bin/javaws

Uncategorized none

Developing a Windows 7 SP1 Image

January 12, 2013 No comments

Step 1 – Software Needed

  • Get a Windows 7 SP1 installation media. For this article I’ll be using a Windows 7 SP1 Enterprise 32 bit version of Windows.
  • The Windows® Automated Installation Kit (AIK) for Windows® 7 http://www.microsoft.com/download/en/confirmation.aspx?id=5753 This file downloads as: KB3AIK_EN.iso
  • The Windows Automated Installation Kit (AIK) Supplement for Windows 7 SP1 is an optional update to AIK for Windows 7 that helps you to install, customize, and deploy the Microsoft Windows 7 SP1 and Windows Server 2008 R2 SP1 family of operating systems. http://www.microsoft.com/download/en/details.aspx?id=5188 The release I’ve downloaded was released on 2/21/2011 and downloads as waik_supplement_en-us.iso
  • 7zip – used to extract files from the iso images.

Step 2

Install Windows 7 using default settings. We will customize this install. I’m using a virtual machine running in VMware Fusion so I can snapshot the progress.

  • User: default
  • Machine Name: BaseImage
  • No Updates
  • No password
  • Enable Administrator Account
  • Work Network
  • Copy All 3 isos to the desktop
  • Install 7zip
  • Install VMware Tools
  • Reboot
  • Login with your newly created account (not Builtin Administrator)
Programs Needed for windows 7 sysprep

All Programs needed for Sysprep.

Step 3 – Installing the wAIK

Extract the contents of the isos to the desktop using: Right click -> 7zip –> Extract to “foldername”. You should now have three folders on your desktop with the contents of the three isos.

From the KB3AIK_EN folder run the wAIKX86.msi (wAIKAMD64.msi if you’re installing a 64bit windows)

choose wAIKX86.msi from the KB3AIK_EN folder

Run the wAIKX86.msi

  • Accept the License Agreement [next]
  • Accept Default folder of C:Program FilesWindows AIK
  • Install for Everyone [next]
  • Click Next to start installation [next]
  • Finish install [Close]

Step 4 – Load image into System Image Manager

This will walk through loading a windows image (in this case the image is the install DVD) into the System Image Manager.

  • Launch the windows system image manager

 

  • The program will launch and show you a screen with a bunch of blank panes.
Windows System Image Manager

Windows System Image Manager

In the bottom left pane titled Windows Image, right click and select “New Image”.

Brows to the location where you extracted windows 7 iso (Desktop), and brows to the sources folder and choose the cataloge file (.clg extension) “install_Windows 7 Enterprise.clg”.

clg file location

Catalog File Location

Now we have the Windows image Loaded into the image manager. The next step will walk through creating an answer file.

Step 5 – Creating the answer file

– TODO — Create the File

Step 6 – Running Sysprep

In another VM instance start a vanilla 7 installation. When you arrive at the welcome screen where it asks you to create a username, hit CTRL+SHIFT+F3, this will reboot your machine and put you in “audit” mode.

  • Boot from Windows 7 Disk
  • Partition the Drive how you want it
  • Install VMware tools
  • reboot
  • Copy you unattend.xml to c:Windowssystem32sysprep

 

Tech none

Baby Girl

January 12, 2013 No comments

20130112-002535.jpg

Uncategorized none

PFX (p12) Certificate Conversion

January 19, 2012 1 comment

What is a PFX Certificate

PKCS #12 is one of the family of standards called Public-Key Cryptography Standards (PKCS), published by RSA Laboratories. It defines a file format commonly used to store X.509 private keys with accompanying public key certificates, protected with a password-based symmetric key PFX Certificate?

In practice .pfx is just another file extension for a PKCS#12 or .p12 type certificate.

Convert PFX to PEM

This command will convert a pfx certificate to a X509 pem encoded certificate. The use of the -nodes flag will give the option to password protect the private key in the new pem encoded certificate. For information on converting pem to der encoded certificates.

Export ALL: Public Certificates, Private Keys, and CA Chain as single certificate

Encrypt private key with a password

openssl pkcs12 -in Certificate.pfx -out NewCertificate.pem

Do not encrypt private key

openssl pkcs12 -in Certificate.pfx -out NewCertificate.pem -nodes

Export Public Certificate from pfx

openssl pkcs12 -in Certificate.pfx -out NewCertificate.pem -nokeys -clcerts

Export Private Key from pfx

openssl pkcs12 -in certificate.pfx -out certificate.key -nocerts -nodes

Export Certificate Authority (CA) Chain from pfx

openssl pkcs12 -in certificate.pfx -out ca-chain.pem -nokeys -cacerts

Convert PFX to JKS ( Java Keystore )

If you do have Keytool application and your PKCS#12 file, launch the one-line command:
keytool -importkeystore -srckeystore source.p12 -srcstoretype pkcs12
 -srcalias Alias -destkeystore target.jks -deststoretype jks 
 -deststorepass password -destalias Alias

 

Personal, Public Key Infrastructure ( PKI ), Tech none

Name that sound.

September 30, 2011 No comments

 

 

 

 

Name That Sound

 

Variation on a game by a similar title.

Personal none

Geek vs Dork vs Nerd vs Dweeb

April 7, 2011 No comments

This is one of those cases where a picture is worth a thousand words.

What is the difference between a Nerd, Geek, Dork, or Dweeb?

‘nuf said.

Personal, Tech

scp: ambiguous target

March 30, 2011 No comments

I was attempting to secure copy a file over a remote server and I encountered the following error:
$ scp file.txt user@ip_address:”/file path/”
scp: ambiguous target

So after some trial and error I discovered the problem was the space ” ” in the path to which I was attempting to copy the file to. I knew you would have to escape the space with a ” ” however I would still get the error.

To solve this problem you need to escape the space AND add the quote around the path
$ scp /file/to/copy user@desthost:”/file path/”

Personal

Operation: Love ReUnited

March 16, 2011 No comments

Participating Photographer

My lovely wife Chesnye has found a worthy cause to donate our resources to.  We’ve taken our photography business forever photoz and teamed up with Operation Love ReUnited.

THIS IS TAKEN FROM THEIR HOMEPAGE

Introduction To The Program:

If you have ever been through a military deployment, there are no words to explain how hard it is to send the father or mother of your children off to some foreign, dangerous land, leaving you all behind…. Alone.  It’s indescribable to watch their faces light up as their mother or father comes up the stairs of the airport after months, possibly a year or more, of not hugging each other.  Emotions fly through the main lobby, it’s so very good to have them home.  Your base’s Family Support Squadron will help you with your deployment.  But the last thing on your mind when your wife or husband arrives home after a 4 to 18 month tour, is capturing all this love– on film.  Most people are so overwhelmed with emotions they forget to simply point and shoot the camera they are grasping of their child’s first hug, or that single tear of relief from a mother being able to hold her twenty year old son again.  With the help of Operation: Love ReUnited and local photographers near your base, you can.

The Operation helps those long months go by a little faster.  It’s designed to capture moments that you will never remember.  It’s art.  It’s love.  And it’s all made possible by artists wanting to give something back to those who make the United States what it is, and ask for nothing in return- but to come home.

If you are a member or family member of the United States Military, and are interested in having very special and touching images with a patriotic edge taken of you and/or your family before a deployment or during, and at your reunion, please contact a photographer in your area now.  You will receive a substantial package as a gift in appreciation for all you have been through as a military member.  The package will always include a 4×6 album of pre-deployment images, such as a child’s hand clasped in his parent’s with the faint glimpse of a BDU sleeve, a marine in dress with his family, a salior with his parents right before departure, or a child playing dress up in combat boots and a helmet.  The album will be sent to the deployed soldier by the photographer, at no cost to you.  Also with your package, all session fees will be waived.  Your photographer may have a designated package or other options for Operation: Love ReUnited participants at their discretion with a signed model release.

About Pre-Deployment & Deployment Sessions:

OpLove Pre-Deployment & Deployment sessions help you say goodbye and cope with being away.  Anyone who has had to see their husband or wife, son, daughter, sister or brother off to war knows how hard it is to watch them walk away from you.  Our photographers are part of the program as volunteers.  They feel your pain, many of them being military spouses or family members themselves, they want to listen, they want to help ease your worries, they want to do what they can to help you through this deployment, and we do that with photography.  Your initial session will be either with your spouse before he or she deploys dressed in their dress uniform or BDUs for most of the session, or if you find OpLove after your loved one has deployed, your session will be done without your loved one keeping a patriotic theme that could include dress, hats, BDUs, boots and other military gear, but they will still experience all the love & benefits that OpLove has to offer.

About Returning Sessions:

When your loved one comes home from a deployment, the last thought on your mind will be your camera.  Most people are so overwhelmed with emotions, they simply forget they are holding it in their hand.  Once you find out about the time your loved one is to return from his or her deployment, please let your photographer know.  They will want to accompany your family to the welcoming home of your spouse or loved one, and capture that first glimpse, that first embrace, and all the love that surrounds every person who walks off that plane, into their families arms.  From this session photographers have the choice of presenting you an album and/or a CD of images.

Personal, Photography none

How to Extract an RPM Without Installing

March 14, 2011 No comments

To extract or “unbuild” and RPM so you can see its files you have to use two programs.  The first is rpm2cpio, the second is cpio.

rpm2cpio: Extract cpio archive from RPM Package Manager (RPM) package.

cpio – allows a user to copy file to and from an archive.

[code lang="bash" title="Do this as root"]linux:/tmp/rpmsource# rpm2cpio <>.src.rpm | cpio -idmv [/code]

Explanation: rpm2cpio takes the rpm and runs the extraction that is then piped through cpio to extract the files to a local directory.   FLAGS: -i extract, -d make directories where needed, -m preserve modification time, -v verbose mode will list the names of the files as they are extracted.

I’m not sure if this will work for non-src rpms.

Tech none

NXServer and Lastlog

March 6, 2011 No comments

On CENTOS 5.5 nxserver would not update the lastlog database.  The USESSION directive was set correctly in the nxserver.conf file.

The solution was the permissions on /var/log/lastlog was set to 644 and the ownership was root:root.   Once it was changed to root:utmp and 664 the lastlog was updated correctly when a user logged into the nxsession.

Personal none
Powered by WordPress Web Design by SRS Solutions © 2013 Gtopia Design by SRS Solutions