1

I want to be able to send certificates in my API requests.

Please see - Add certificate on request with RestSharp

As shown in that post. I need to convert .crt and .key to .pfx , however my current certificates are .pem, so I thought I will need to convert them into .crt and .key first and then use the openssl comand used in that post to convert them into .pfx and then carry on with the rest of the solution.

My certificates are -

CRT file - C:\Users\JohnSmith\Downloads\certsh\client-crt.pem

Key file - C:\Users\JohnSmith\Downloads\certsh\client-key.pem

I was able to convert the Key file to a .key , but when trying to convert the CRT file I am getting this error.

unable to load certificate 13668:error:0906D06C:PEM routines:PEM_read_bio:no start line:.\crypto\pem\pem_lib.c:697:Expecting: TRUSTED CERTIFICATE error in x509

I am using this command to try and convert the .pem to .crt

x509 -outform der -in client-csr.pem -out client.crt
HH44
  • 15
  • 1
  • 2
  • 10
  • "however my current certificates are .pem, so I thought I will need to convert them into .crt and .key first " That doesn't make sense. First, filenames and extensions are irrelevant. They just aid humans, computers do not care. PEM is an encoding format. A "PEM file" can contain either a key or one (or more) certificates. The error message you quote just means that the file does not contain a certificate. Your question is offtopic here as not related to programming but this resource should tell you everything you need for formats convertions: https://www.madboa.com/geek/openssl/ – Patrick Mevzek Jul 09 '20 at 17:30

1 Answers1

10

The extension .pem indicates that the format of the file is PEM (Privacy-Enhanced Mail) (RFC 7468). The content of the file may be a certificate, a private key, a public key, or something else. If you open a PEM file with a text editor, your will see -----BEGIN ?????----- at the top.

The extension .crt implies that the content of the file is a certificate. However, the extension does not tell anything about the file format. The format may be PEM, DER (Distinguished Encoding Rules) (X.690), or something else. If the file contains -----BEGIN CERTIFICATE-----, the format is PEM. On the other hand, if the file contains binary data, it is likely that the format is DER.

The extension .key implies that the content of the file is a private key. However, the extension does not tell anything about the file format. The format may be PEM, DER, or something else. If the file contains -----BEGIN PRIVATE KEY-----, the format is PEM. On the other hand, if the file contains binary data, it is likely that the format is DER.

The string csr, which is a part of the file name client-csr.pem, implies that the content of the file is CSR (Certificate Signing Request). Note that CSR is NOT a certificate. It seems you are trying to convert the file format of client-csr.pem from PEM to DER, but the CSR will never become a certificate by converting the file format. What you should give to the openssl command is not client-csr.pem but client-crt.pem, I think.

Understanding relationship among ASN.1 (X.680), DER (X.690), BASE64 (RFC 4648) and PEM (RFC 7468) will improve the quality of your questions and help you avoid wasting time. I hope that diagrams below excerpted from "Illustrated X.509 Certificate" can help you.

enter image description here

enter image description here

Community
  • 1
  • 1
Takahiko Kawasaki
  • 18,118
  • 9
  • 62
  • 105
  • Thanks for this ... and yh my mistake .. I was using client-csr.pem and it should have been client-crt.pem – HH44 Jul 10 '20 at 14:20