0

I have converted a CER/DER certificate with something like this: 

openssl x509 -inform der -in hostname.cer -out hostname.pem

The resulting PEM file contains just:

-----BEGIN CERTIFICATE-----
... contents here.. 
-----END CERTIFICATE-----

But it does not contain the key part, is that normal? So I cannot use it in PHP/SOAPClient because it won't connect to the host.

On the other hand, I have successfuly converted PFX/P12 format to PEM and the resulting file contains both certificate and key. But in the above case of the DER format certificate it doesn't.

What I used to convert the PFX to PEM was:

openssl pkcs12 -in ALEXANDRU_CATALIN.pfx -clcerts -nokeys -out ALEXANDRU_CATALIN_mycert.pem
openssl pkcs12 -in ALEXANDRU_CATALIN.pfx -nocerts -nodes -out ALEXANDRU_CATALIN_mykey.pem

And then join contents of both files into one called bundle.pem. This worked, I ended with a file with bot certificate and key and it connects vía SOAP to the API but as I say the DER to PEM doesn't give me a certificate that will work.

Any ideas on this? Am I missing something? Is the DER format not containing the key? Do I need something else?

jww
  • 97,681
  • 90
  • 411
  • 885
Alexandru Trandafir Catalin
  • 2,588
  • 2
  • 31
  • 39
  • Stack Overflow is a site for programming and development questions. This question appears to be off-topic because it is not about programming or development. See [What topics can I ask about here](http://stackoverflow.com/help/on-topic) in the Help Center. Perhaps [Super User](http://superuser.com/) or [Unix & Linux Stack Exchange](http://unix.stackexchange.com/) would be a better place to ask. – jww Jan 10 '18 at 03:52

2 Answers2

0

By default the public key is not converted.

BUT you can export it by adding argument -pubkey

openssl x509 -inform der -in hostname.cer -out hostname.pem -pubkey

will give you a PEM file as following :

-----BEGIN PUBLIC KEY-----
{...}
-----END PUBLIC KEY-----
-----BEGIN CERTIFICATE-----
{...}
-----END CERTIFICATE-----

Reference: X509 documentation

Camille G.
  • 3,058
  • 1
  • 25
  • 41
  • Okay but hmm in the PFX to PEM I have certificate and private key, why in your example is public key? will that work to connect? Sorry but I don't get the difference between DER and PFX and public/private key. Will that work the same when I connect to the SOAP API? – Alexandru Trandafir Catalin Jan 09 '18 at 12:17
  • Anyway I will try and see if the soap call works with the certificate converted that way. – Alexandru Trandafir Catalin Jan 09 '18 at 12:23
  • It did not work as expected, I mean, it put no "public key" part in it. But the whole story is that 1) I converted PFX to PEM, 2) then used sslshopper.com to convert that PEM to DER 3) Finally tried to convert back DER to PEM – Alexandru Trandafir Catalin Jan 09 '18 at 12:31
  • A certificate (encoded in DER or PEM) do not contain the private key. A *.pfx file is a PCKS12 archive containing multiple files and most of the times a certificate and its associated private key. – Camille G. Jan 09 '18 at 12:32
0

A DER certificate file won't contain the private key. So there's no private key to convert. Only a PFX or a "multi-PEM" can contain both a certificate and a private key.

bartonjs
  • 30,352
  • 2
  • 71
  • 111