recentpopularlog in

kme : certs   7

DER vs. CRT vs. CER vs. PEM Certificates and How To Convert Them | https://support.ssl.com/
Microsofty things use the '.cer' extension (which is interchangeable with '.crt'), and are often DER-encoded. PEM-encoded certs are "ASCII (Base64) armored data" prefixed with a "-----BEGIN CERTIFICATE-----" line.

Here's how to "cat" a DER-encoded certificate:
<code class="language-bash">
openssl x509 -in certificate.der -inform der -text -noout
</code>

And here's how to convert one in that format to the format expected on a Debian GNU/Linux system:
<code class="language-bash">
openssl x509 -in cert.crt -inform der -outform pem -out cert.crt
</code>

NB: the '.crt' extension seems to be important, otherwise 'sudo update-ca-certificates' doesn't pick up on new ones that you've added to /usr/local/share/ca-certificates.
ssl  certs  cacert  certificates  openssl  sysadmin  webmaster  crypto  fuckina  solution  importexport  conversion 
january 2019 by kme
openssl - how to extract issuer certificate from other certificate - Stack Overflow | https://stackoverflow.com/
This might work *if* the certificate embeds a URL for the issuer. This wasn't the case for my organization.
openssl  ssl  ca  certs  issuer  commandline  sysadmin  networking  sortof  solution 
january 2019 by kme
curl - SSL CA Certificates | https://curl.haxx.se/
Yeah, except the '--cacert pemfile.pem' option never seems to work without just resorting to '--insecure' also.
If you use the 'openssl' tool, this is one way to get extract the CA cert for a particular server:
<code class="language-bash">openssl s_client -showcerts -servername server -connect server:443 > cacert.pem</code>
- type "quit", followed by the "ENTER" key
- The certificate will have "BEGIN CERTIFICATE" and "END CERTIFICATE" markers.
- If you want to see the data in the certificate, you can do: "openssl x509 -inform PEM -in certfile -text -out certdata" where certfile is the cert you extracted from logfile. Look in certdata.
- If you want to trust the certificate, you can add it to your CA certificate store or use it stand-alone as described. Just remember that the security is no better than the way you obtained the certificate.


Convert from crt (IE / Windows, DER format) to PEM format:
<code class="language-bash">openssl x509 -inform DES -in yourdownloaded.crt -out outcert.pem -text</code>
webdevel  debugging  curl  ssl  certs  ca  security  dammitbrain  reference 
december 2017 by kme
mk-ca-bundle
This script lives in lib/mk-ca-bundle.pl in current curl distributions.
ssl  certs  curl  certificates  ca  solution 
march 2016 by kme
Fixing HTTPS Certificate Errors in Wget and Ruby • 55 Minutes Blog
<code class="language-bash"># Install curl-ca-bundle
sudo port install curl-ca-bundle

# Add CA_CERTIFICATE to ~/.wgetrc
echo certificate=/opt/local/share/curl/curl-ca-bundle.crt >> ~/.wgetrc</code>
mac  osx  ca  certs  https  wget  errormessage  commandline  solution  macos 
march 2013 by kme

Copy this bookmark:





to read