Keywords: OpenSSL | Certificate File Formats | PKCS12 | JKS Keystore | Public-Private Key Encryption
Abstract: This article provides an in-depth analysis of various certificate file formats generated by OpenSSL, including core concepts such as PEM, CRT, KEY, and PKCS12. Through comparative analysis of file structure differences, it elaborates on public-private key encryption principles and certificate signing mechanisms, while offering a complete operational guide from self-signed certificate generation to JKS keystore conversion. With specific command examples, the article helps developers accurately identify different file formats and master essential SSL/TLS certificate management skills.
Fundamental Concepts of Certificate File Formats
In Public Key Infrastructure (PKI) systems, key pairs consist of two components: public keys and private keys. Public keys can be publicly distributed for verifying digital signatures, while private keys must be strictly kept secret for generating digital signatures. The various file formats generated by the OpenSSL tool represent different encapsulation forms of these key components.
Detailed Explanation of Major File Formats
.key files typically contain private key information, which servers use to encrypt data and create digital signatures. The secure storage of private keys is critically important, as any leakage can lead to serious security issues.
.pem files use Base64-encoded text format and can contain various types of content including public keys, private keys, or certificates. They are identified by the -----BEGIN EXAMPLE----- and -----END EXAMPLE----- markers, where EXAMPLE varies according to the specific content, such as CERTIFICATE or PRIVATE KEY.
.crt or .cert files contain signed digital certificates issued by Certificate Authorities (CAs), used to verify the authenticity and ownership of public keys. In self-signed scenarios, certificates are verified using one's own private key for signing.
Container Formats and Keystores
.p12 files adhere to the PKCS#12 standard and represent a binary container format capable of simultaneously containing private keys and corresponding certificate chains. This format facilitates secure transmission and backup management of key pairs.
JKS (Java KeyStore) is a platform-specific keystore format for Java, used to store and manage keys and certificates. JKS supports multiple entry types, including private key entries and trusted certificate entries, providing comprehensive key management solutions for Java applications.
Practical OpenSSL Command Analysis
Typical command for generating self-signed certificates and private keys:
openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout privateKey.key -out certificate.crtThis command creates a self-signed certificate valid for 365 days using RSA 2048-bit key pairs, where the -keyout parameter specifies the private key output file and -out specifies the certificate output file. The -nodes option indicates that the private key should not be encrypted.
Another common variant:
openssl req -newkey rsa:2048 -new -nodes -x509 -days 3650 -keyout key.pem -out cert.pemThis command generates a certificate valid for 10 years, with both output files in PEM format, demonstrating the flexibility of file extensions—the same file content can use different extensions.
Format Conversion and Keystore Generation
Generating PKCS12 keystore from PEM format files:
openssl pkcs12 -export -in user.pem -inkey user.key -certfile user.pem -out testkeystore.p12This command packages PEM format certificates and private keys into a PKCS12 file. The -in parameter specifies the certificate file, -inkey specifies the private key file, and -certfile can include additional certificate chains.
Converting PKCS12 to JKS format:
keytool -importkeystore -srckeystore testkeystore.p12 -srcstoretype pkcs12 -destkeystore wso2carbon.jks -deststoretype JKSJava's keytool utility performs the format conversion, with -srckeystore specifying the source keystore and -destkeystore specifying the target keystore.
File Content Verification and Identification
Since file extensions are merely conventions, actual content identification is more important. Using OpenSSL commands can accurately determine file types:
View certificate information:
openssl x509 -in certificate.crt -text -nooutView private key information:
openssl rsa -in private.key -check -nooutVerify PKCS12 file:
openssl pkcs12 -info -in keystore.p12Practical Application Scenario Analysis
In web server configuration, typically required are: server private key (.key), server certificate (.crt), and possibly intermediate certificate chains. These files can be stored separately or combined into PKCS12 files for easier management.
Java applications typically use JKS keystores containing server private key entries and corresponding certificate chains. Through standard keystore management processes, applications can properly establish SSL/TLS connections.
The choice of file format should be determined by specific application scenarios: separate files facilitate auditing and updates, container formats ease deployment and backup, and keystore formats integrate well with specific platforms.