Quantcast

.pfx to .pem conversion help

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

.pfx to .pem conversion help

Shen, Wei (AB21)

Hi all,

 

I am a newbie in SSL. In my java application, I need to convert a windows generated certificate file (.pfx) into a Linux readable format (which is a .pem format). Then upload the files to a device.

 

Moreover most of the linux systems would expect the .pfx file to be converted into two seperate files

 

1. A linux supported .pem file (certificate portion of pfx file)

 

2. A linux supported .prv  file (Seperate the key from pfx file into a seperate file)

 

Some googling direct me to the bouncycastle’s site.  Can I do this using bouncycastle’s library? If yes, how?  Please help.

Thanks in advance.

 

 

Wei Shen

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: .pfx to .pem conversion help

Shen, Wei (AB21)

Thanks very much for Maarten’s quick reply.

 

I looked at the KeyStore api. Since I am a newbie in this area, please bear with me with the following two naïve questions:

 

  1. getCertificate(String alias) and getKey(String alias, char[] password) require a alias parameter. Do I have to know the alias and the password in the .pfx file before hand or I need to parse those out?
  2. The Certificate.getEncoded() method says “X.509 certificates would be encoded as ASN.1 DER”. Then I need to re-encode it in the PEM format. My question is will Linux accept the ASN.1 DER encoding?

 

Thanks again.

 

Wei Shen

 


From: Maarten Bodewes [mailto:[hidden email]]
Sent: April 8, 2010 6:18 PM
To: Shen, Wei (AB21)
Subject: Re: [dev-crypto] .pfx to .pem conversion help

 

 

On Thu, Apr 8, 2010 at 11:09 PM, Shen, Wei (AB21) <[hidden email]> wrote:

Hi all,

 

I am a newbie in SSL. In my java application, I need to convert a windows generated certificate file (.pfx) into a Linux readable format (which is a .pem format). Then upload the files to a device.

 

OK, that does not sound like SSL to me, but more like general crypto.

.pfx is just PKCS#12 if memory serves me right.
 

Moreover most of the linux systems would expect the .pfx file to be converted into two seperate files

1. A linux supported .pem file (certificate portion of pfx file)

PEM is just an encoding, basically base64 with a header and footer line for separation. What you are talking about is an X.509 certiifcate using PEM encoding.
 

2. A linux supported .prv  file (Seperate the key from pfx file into a seperate file)

 

.prv is simply a PKCS#8 encoded private key, again in PEM format.
 

Some googling direct me to the bouncycastle’s site.  Can I do this using bouncycastle’s library? If yes, how?  Please help.

 

Yes, you should be able to use bouncy castle. If really required, you could even just use the Java JRE. You can read the PKCS#12 encoded .pfx file into a KeyStore using KeyStore.load(). Then you retrieve the certs and keys from the KeyStore. After retrieving them you can just use the .getEncode() methods on the object instances to get the correct binary encoding. After that you will still need to convert to PEM format so that might get tricky - you'll need to find a base64 encoder and add the PEM header and footer.

David will probably fill you in on the details on how to do this with Bouncy :)

Regards,
Maarten

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: .pfx to .pem conversion help

Shen, Wei (AB21)

Here is the use case for my application.  

 

The user installs the software that is written in Java on a PC. He/She needs to upload the .pfx file that is generated by a Windows server to a device that is running embedded Linux. The requirement is to convert the .pfx file into the .pem and .prv files then upload them to the device.  I do not want the user to install openssl just for the sake of this conversion. I want to find a java library to do this conversion within the program. I think bouncy castle can help me achieve this goal. However, I need to figure out how. Maarten gave me great guidance on the steps I need to go through. Is there any convenient way to do this using bouncy castle?

Thanks.

 

Wei Shen

 


From: Maarten Bodewes [mailto:[hidden email]]
Sent: April 9, 2010 10:12 AM
To: Shen, Wei (AB21)
Subject: Re: [dev-crypto] .pfx to .pem conversion help

 

 

On Fri, Apr 9, 2010 at 5:18 PM, Shen, Wei (AB21) <[hidden email]> wrote:

  1. getCertificate(String alias) and getKey(String alias, char[] password) require a alias parameter. Do I have to know the alias and the password in the .pfx file before hand or I need to parse those out?

Yes, you need a password if it has been set. If it hasn't been set, try null. You can simply retrieve all aliases by calling the correct method on the keystore object. Note that a certificate and private key will normally be stored under the same alias.
 

  1. The Certificate.getEncoded() method says “X.509 certificates would be encoded as ASN.1 DER”. Then I need to re-encode it in the PEM format. My question is will Linux accept the ASN.1 DER encoding?

Linux itself (the kernel) does not offer direct support for crypto AFAIK. You are probably referring to openssl, which is a crypto library available for posix systems that goes a bit further than the name suggests. With openssl you can specify " -inform DER" for most arguments. Of course, openssl also offers direct support for pkcs12, so the question quickly becomes why you need Java to do the job.

Regards,
Maarten

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: .pfx to .pem conversion help

David Hook-2
In reply to this post by Shen, Wei (AB21)
On Fri, 2010-04-09 at 11:18 -0400, Shen, Wei (AB21) wrote:

> Thanks very much for Maarten’s quick reply.
>
>  
>
> I looked at the KeyStore api. Since I am a newbie in this area, please
> bear with me with the following two naïve questions:
>
>  
>
>      1. getCertificate(String alias) and getKey(String alias, char[]
>         password) require a alias parameter. Do I have to know the
>         alias and the password in the .pfx file before hand or I need
>         to parse those out?

The alias will be the "friendly name" used in the PFX file. You can use
the KeyStore.aliases() to see what's availble.

>      1. The Certificate.getEncoded() method says “X.509 certificates
>         would be encoded as ASN.1 DER”. Then I need to re-encode it in
>         the PEM format. My question is will Linux accept the ASN.1 DER
>         encoding?


Yes. The PEMWriter class should help here. The only one you might have
issue with is the private key, it will depend on whether the application
you're using expects PKCS#8 or the openSSL format.

Regards,

David





Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: .pfx to .pem conversion help

Shen, Wei (AB21)

David,

Thank you very much for your help.


Wei
-----Original Message-----
From: David Hook [mailto:[hidden email]]
Sent: April 10, 2010 4:45 PM
To: [hidden email]
Subject: RE: [dev-crypto] .pfx to .pem conversion help

On Fri, 2010-04-09 at 11:18 -0400, Shen, Wei (AB21) wrote:

> Thanks very much for Maarten's quick reply.
>
>  
>
> I looked at the KeyStore api. Since I am a newbie in this area, please
> bear with me with the following two naïve questions:
>
>  
>
>      1. getCertificate(String alias) and getKey(String alias, char[]
>         password) require a alias parameter. Do I have to know the
>         alias and the password in the .pfx file before hand or I need
>         to parse those out?

The alias will be the "friendly name" used in the PFX file. You can use
the KeyStore.aliases() to see what's availble.

>      1. The Certificate.getEncoded() method says "X.509 certificates
>         would be encoded as ASN.1 DER". Then I need to re-encode it in
>         the PEM format. My question is will Linux accept the ASN.1 DER
>         encoding?


Yes. The PEMWriter class should help here. The only one you might have
issue with is the private key, it will depend on whether the application
you're using expects PKCS#8 or the openSSL format.

Regards,

David






Loading...