Keywords: OpenSSL | Certificate Conversion | PEM Format | CRT File | Private Key Extraction
Abstract: This article provides a comprehensive guide on using OpenSSL command-line tools to convert PEM files containing certificates and private keys into separate CRT certificate files and KEY private key files. Through in-depth analysis of PEM file structure, OpenSSL command parameter interpretation, and practical application scenarios, it offers a complete solution for certificate format conversion for developers and system administrators. The article includes detailed command examples, parameter explanations, and best practice recommendations to help readers understand the differences between certificate formats and conversion principles.
Overview of PEM File Format
The PEM (Privacy Enhanced Mail) format is one of the most commonly used file formats in the SSL/TLS certificate domain, storing certificate data in Base64-encoded ASCII text. A typical PEM file may contain multiple components: private keys, public key certificates, and optional certificate chains. File content is typically separated by specific beginning and ending markers, such as private keys using "-----BEGIN PRIVATE KEY-----" and "-----END PRIVATE KEY-----" markers, while certificates use "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" markers.
Core Principles of Certificate Format Conversion
The conversion between different certificate formats essentially involves changes in data encoding methods and storage structures. The PEM format uses Base64-encoded text, facilitating human reading and text processing; while the CRT format typically refers to DER-encoded binary certificate files, better suited for machine processing and specific system requirements. KEY files for private keys are specifically designed to store encryption key information and need to be managed separately from certificate files to ensure security.
Extracting Private Keys Using OpenSSL
Extracting private keys from PEM files is a crucial step in certificate management. OpenSSL provides specialized pkey commands for key operations:
openssl pkey -in combined.pem -out private.keyThis command works by parsing the input PEM file, identifying the private key portion, and outputting it to the specified file. The -in parameter specifies the input file path, while -out specifies the output file path. If the PEM file contains a password-protected private key, the system will prompt for the password for decryption.
Certificate Extraction and Format Conversion
Extracting certificates and converting them to CRT format requires using the x509 command:
openssl x509 -outform der -in certificate.pem -out certificate.crtThe core functions of this command include: reading PEM-formatted certificate data (-in parameter), converting it to DER encoding format (-outform der parameter), and finally outputting to a CRT file (-out parameter). DER (Distinguished Encoding Rules) is an encoding rule of the ASN.1 standard that stores data in binary format, offering smaller file sizes and higher processing efficiency compared to the PEM format.
Complete Conversion Process Example
Assuming we have a composite certificate file named server.pem that needs to have its private key and certificate extracted separately:
# Extract private key to separate file
openssl pkey -in server.pem -out server.key
# Extract certificate and convert to CRT format
openssl x509 -outform der -in server.pem -out server.crtAfter execution, two separate files will be generated: server.key containing private key information, and server.crt containing DER-encoded certificate data. This separate storage approach meets the security configuration requirements of most web servers (such as Apache, Nginx).
In-Depth Analysis of OpenSSL Command Parameters
The -outform parameter of the x509 command supports multiple output format options:
- der: Outputs DER-encoded binary format
- pem: Outputs PEM-encoded text format (default value)
- txt: Outputs human-readable text format
The pkey command is specifically designed to handle various types of keys, supporting multiple algorithms such as RSA, DSA, and EC, and can automatically identify key types in input files and process them correctly.
Practical Application Scenarios and Considerations
In web server configuration, certificates and private keys typically need to be stored in separate files. Apache servers require SSLCertificateFile to point to the certificate file and SSLCertificateKeyFile to point to the private key file. Nginx servers require similar separate configurations.
Security considerations include: private key files should have strict permissions set (such as 600) to prevent unauthorized access; in production environments, consider using Hardware Security Modules (HSM) to protect private keys; regularly rotate certificates and keys to enhance security.
Advanced Conversion Techniques
For PEM files containing certificate chains, the following command can be used to view detailed content:
openssl x509 -in certificate.pem -text -nooutIf you need to process PKCS#12 format certificate packages, you can use the pkcs12 command for conversion:
openssl pkcs12 -in certificate.pfx -out certificate.pem -nodesThese advanced techniques are very useful when dealing with complex certificate scenarios, particularly in enterprise applications and cross-platform deployments.
Troubleshooting and Verification
After conversion is complete, it is recommended to verify the generated files using the following commands:
# Verify private key
openssl pkey -in private.key -check
# Verify certificate
openssl x509 -in certificate.crt -inform der -text -nooutIf conversion errors are encountered, common causes include: file format mismatches, password protection not handled correctly, file corruption, etc. Through detailed error information and log analysis, problems can be quickly identified and resolved.