What are the differences between PEM, DER, P7B/PKCS#7, PFX/PKCS#12 certificates

NOTE: Please note that, this is a RIP OFF from the website http://www.sslshopper.com. Thanks for http://www.sslhopper.com for the valuable information provided. If anyone has any complaints, please contact me.

Different Platforms & Devices requires SSL certificates in different formats
eg:- A Windows Server uses .pfx files
An Apache Server uses .crt, .cer files

NOTE: Only way to tell the difference between PEM .cer and DER .cer is to open the file in a Text editor and look for the BEGIN/END statements.

 

PEM Format
It is the most common format that Certificate Authorities issue certificates in. It contains the ‘—–BEGIN CERTIFICATE—–” and “—–END CERTIFICATE—–” statements.

Several PEM certificates and even the Private key can be included in one file, one below the other. But most platforms(eg:- Apache) expects the certificates and Private key to be in separate files.
> They are Base64 encoded ACII files
> They have extensions such as .pem, .crt, .cer, .key
> Apache and similar servers uses PEM format certificates

DER Format
It is a Binary form of ASCII PEM format certificate. All types of Certificates & Private Keys can be encoded in DER format
> They are Binary format files
> They have extensions .cer & .der
> DER is typically used in Java platform

P7B/PKCS#7
They contain “—–BEGIN PKCS—–” & “—–END PKCS7—–” statements. It can contain only Certificates & Chain certificates but not the Private key.
> They are Base64 encoded ASCII files
> They have extensions .p7b, .p7c
> Several platforms supports it. eg:- Windows OS, Java Tomcat

PFX/PKCS#12
They are used for storing the Server certificate, any Intermediate certificates & Private key in one encryptable file.
> They are Binary format files
> They have extensions .pfx, .p12
> Typically used on Windows OS to import and export certificates and Private keys

 

Converting Certificates between different Formats

PEM
Convert PEM to DER
—————————————————————————————————–
$ openssl x509 -outform der -in certificate.pem -out certificate.der
—————————————————————————————————–

Convert PEM to P7B
———————————————————————————————————————————
$ openssl crl2pkcs7 -nocrl -certfile certificate.cer -out certificate.p7b -certfile CAcert.cer
———————————————————————————————————————————-

Convert PEM to PFX
——————————————————————————————————————————————————
$ openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CAcert.crt
——————————————————————————————————————————————————

 

DER
Convert DER to PEM
————————————————————————————————–
$ openssl x509 -inform der -in certificate.cer -out certificate.pem
————————————————————————————————–

 

P7B
Convert P7B to PEM
————————————————————————————————-
$ openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer
————————————————————————————————-

Convert P7B to PFX
——————————————————————————————————————————————————-
$ openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer
$ openssl pkcs12 -export -in certificate.cer -inkey privateKey.key -out certificate.pfx -certfile CAcert.cer
——————————————————————————————————————————————————-

 

PFX
Convert PFX to PEM
——————————————————————————————–
$ openssl pkcs12 -in certificate.pfx -out certificate.cer -nodes
——————————————————————————————–

NOTE: While converting PFX to PEM format, openssl will put all the Certificates and Private Key into a single file. You will need to open the file in Text editor and copy each Certificate & Private key(including the BEGIN/END statements) to its own individual text file and save them as certificate.cer, CAcert.cer, privateKey.key respectively.

How to Convert certificates between PEM, DER, P7B/PKCS#7, PFX/PKCS#12

NOTE: Please note that, this is a RIP OFF from the website http://www.sslshopper.com. Thanks for http://www.sslhopper.com for the valuable information provided. If anyone has any complaints, please contact me.

Different Platforms & Devices requires SSL certificates in different formats
eg:- A Windows Server uses .pfx files
An Apache Server uses .crt, .cer files

NOTE: Only way to tell the difference between PEM .cer and DER .cer is to open the file in a Text editor and look for the BEGIN/END statements.

PEM Format
It is the most common format that Certificate Authorities issue certificates in. It contains the ‘—–BEGIN CERTIFICATE—–” and “—–END CERTIFICATE—–” statements.

Several PEM certificates and even the Private key can be included in one file, one below the other. But most platforms(eg:- Apache) expects the certificates and Private key to be in separate files.
> They are Base64 encoded ACII files
> They have extensions such as .pem, .crt, .cer, .key
> Apache and similar servers uses PEM format certificates

DER Format
It is a Binary form of ASCII PEM format certificate. All types of Certificates & Private Keys can be encoded in DER format
> They are Binary format files
> They have extensions .cer & .der
> DER is typically used in Java platform

P7B/PKCS#7
They contain “—–BEGIN PKCS—–” & “—–END PKCS7—–” statements. It can contain only Certificates & Chain certificates but not the Private key.
> They are Base64 encoded ASCII files
> They have extensions .p7b, .p7c
> Several platforms supports it. eg:- Windows OS, Java Tomcat

PFX/PKCS#12
They are used for storing the Server certificate, any Intermediate certificates & Private key in one encryptable file.
> They are Binary format files
> They have extensions .pfx, .p12
> Typically used on Windows OS to import and export certificates and Private keys

 

 

Converting Certificates between different Formats

PEM
Convert PEM to DER
—————————————————————————————————–
$ openssl x509 -outform der -in certificate.pem -out certificate.der
—————————————————————————————————–

Convert PEM to P7B
———————————————————————————————————————————
$ openssl crl2pkcs7 -nocrl -certfile certificate.cer -out certificate.p7b -certfile CAcert.cer
———————————————————————————————————————————-

Convert PEM to PFX
——————————————————————————————————————————————————
$ openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CAcert.crt
——————————————————————————————————————————————————

 

DER
Convert DER to PEM
————————————————————————————————–
$ openssl x509 -inform der -in certificate.cer -out certificate.pem
————————————————————————————————–

 

P7B
Convert P7B to PEM
————————————————————————————————-
$ openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer
————————————————————————————————-

Convert P7B to PFX
——————————————————————————————————————————————————-
$ openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer
$ openssl pkcs12 -export -in certificate.cer -inkey privateKey.key -out certificate.pfx -certfile CAcert.cer
——————————————————————————————————————————————————-

 

PFX
Convert PFX to PEM
——————————————————————————————–
$ openssl pkcs12 -in certificate.pfx -out certificate.cer -nodes
——————————————————————————————–

NOTE: While converting PFX to PEM format, openssl will put all the Certificates and Private Key into a single file. You will need to open the file in Text editor and copy each Certificate & Private key(including the BEGIN/END statements) to its own individual text file and save them as certificate.cer, CAcert.cer, privateKey.key respectively.

How to Decode a CSR or Cetificate Signing Request

NOTE: Please note that, this is a RIP OFF from the website http://www.sslshopper.com. Thanks to sslhopper.com for the valuable information provided. If anyone has any complaints, please contact me.

A CSR or Certificate Signing Request is a block of encoded text that contains information about the company that an SSL certificate will be issued to and the SSL public key. Once a CSR is created it is difficult to verify what information is contained in it because it is encoded. Since Certificate Authorities use the information in CSRs to create the certificate, you need to decode CSRs to make sure the information is accurate. Decoding a CSR verifies that it contains the correct information.

 

CSR DECODING
———————————————————————
$ openssl x509 -in certificate.crt -text -noout
———————————————————————

How to Disable ‘Recent Documents’ in GNOME Desktop Environment

The ‘Recent Documents’ in GNOME Desktop Environment can be accessed via ‘Menu -> Places -> Recent Documents’. Ever wanted to keep your sneaky friends from knowing what files you are accessing ?

When you access a file via Nautilus file manager, the details are stored in an XML documents named .recently-used.xbel.
•  There is an option ‘Clear Recent Documents…’ available from ‘Menu -> Places -> Recent Documents’. This will clear out the file .recently-used.xbel and subsequently the entries listed in Recent Documents. But that is not we want. We want to permanently prevent the recently opened files from appearing there.

•  Deleting .recently-used.xbel won’t work. The next time you open a file, .recently-used.xbel is recreated.

•  Changing the default permission of .recently-used.xbel also doesn’t work. The permissions are reset to default 600, next time you open a file.

So, here are the steps to disable ‘Recent Documents’…
In your terminal, issue the following commands

 

STEP1:Removes the XML file .recently-used.xbel from your Home directory
—————————————————-
$ rm -fv $HOME/.recently-used.xbel
—————————————————-

STEP2: Creates a new directory named .recently-used.xbel in your Home directory.
—————————————————-
$ mkdir $HOME/.recently-used.xbel
—————————————————-

STEP3:
Done.

The ‘Recent Documents’ in ‘Menu -> Places’ is greyed out, the next time you try to access it.
When you open a file next time, the existence of XML file .recently-used.xbel is checked for.
In linux everything is a file, so is .recently-used.xbel, BUT only of ‘directory’ type!! We take advantage of this fact, so that no data can be written to .recently-used.xbel

How to Convert a man page to Postscript or PDF for printing

Man pages are specially formatted and then compressed text files, created using help2man. Printing a man page, as you do normally with other files will result in printing all the formatting, and this is not we want. So, It would be better to convert them to a printer friendly format, like Postscript or PDF.
To create a Postscript file from the man page of proc command, issue the following command from your terminal…

——————————————————
$ man -t proc > proc.ps
——————————————————

To create a PDF file from the man page of proc command, issue the following from your terminal…

——————————————————————–
$ man -t proc | ps2pdf – proc.pdf
——————————————————————–

 
NOTE:
You will need the ps2pdf utility installed for the creation of PDF. Hopefully, most distributions comes with this utility pre-installed.

Explanation of Options used:
-t
• equivalent to groff -Tps -mandoc command
• It only works if you have a groff utility installed. Hopefully, most distributions comes with this utility pre-installed.
• It passes the o/p to stdout, for formatting the man page. The default output is Postscript format

What is the difference between /dev/random and /dev/urandom

/dev/random and /dev/urandom are special character files present since Linux kernel version 1.3.30.

They provide an interface to Kernel’s Random Number Generator.
The Random Number Generator gathers environmental noise from device drivers and other sources into entropy pool. It also keeps an estimate of Number of bits of noise in entropy pool. It is from this entropy pool, random numbers are generated

 

/dev/random
It will only return Random bytes from entropy pool. If entropy pool is empty, reads to /dev/random will be blocked until additional environmental noise is gathered. This is suited to high quality randomness, such as one-time pad or key generation.

TIP: Issue the command ‘cat /dev/random’ into your terminal without quotes. Move the mouse or type anything on the keyboard to see random characters being generated. Press CTRL+C to exit the situation.

 

/dev/urandom
It will return as many random bytes as requested. But if the entropy pool is empty, it will generate data using SHA, MD5 or any other algorithm. It never blocks the operation. Due to this, the values are vulnerable to theoretical cryptographic attack, though no known methods exist.

TIP: Issue the command ‘cat /dev/urandom’ into your terminal without quotes. Sit and watch random characters being generated, while you do nothing. Press CTRL+C to exit the situation.

 

Creating /dev/random & /dev/urandom, if your System doesn’t have them
Minor Device number of /dev/random – 1
Major Device number of /dev/random – 8
Minor Device number of /dev/urandom – 1
Major Device number of /dev/urandom – 9

STEP1: Creating character file with mode/permission as 644
# mknod -m 644 /dev/random 1 8

STEP2: Creating character file with mode/permission as 644
# mknod -m 644 /dev/urandom 1 9

STEP3: Changing ownership & group of created devices to ‘root’
# chown root:root /dev/random /dev/urandom

STEP4: Done

 

NOTE: These changes doesn’t persist across a reboot

What is the difference between i386, i486, i586, i686, i786

Ever wondered what are those words i386/i486/i586/i686/i786 that comes after the name of RPM / DEB packages?
When it comes to understanding the compatibility of a package between different architectures, knowing these terms become important. The above coined terms are Processor architectures. Let’s have a look below…

i386     –     Intel i386/80386   (in 1985)          or          AMD386 / AM386 (in 1991)

i486     –     Intel i486/80486   (in 1989)          or          AMD486 / AM486 (in 1993)

i586     –     Intel Pentium         (in 1993)          or          AMD-K5 (in 1996)

i686     –     Intel Pentium Pro (in 1995)          or          AMD-K6 (in 1997)

i786     –     Intel Pentium 4      (in 2000)          or          AMD-K7 (in 1999)

 
 
i386
Intel i386/80386 was introduced by Intel in 1985. It was a a 32-bit microprocessor.
As the original implementation of 32-bit extensions of 8086 architecture, the 8086 Instruction set, Programming model, Binary encodings are still the common denominator for all 32-bit x86 processors. The set of processors compatible with 80386 is collectively termed as x86 or i386 architecture. But Intel prefers the name IA-32.
Read more about Intel i386 here

The AMD386 / AM386 was released by AMD in 1991. It was a 100% compatible clone of Intel 80386. This was the processor that placed AMD as a legitimate competitor to Intel, rather than just a second source for x86 CPUs.
Read more about AMD386 here

NOTE: Packages that are compiled for i386 architecture, are compatible with i386, i486, i586, i686 & i786 architectures.

 
i486
Intel i486 was released in 1989. It was a was a higher performance follow up on the Intel 80386 processor. The i486 wasn’t officially branded as 80486, because the court ruling prohibited from trademarking numbers. And later on, Intel began branding it’s chips with words.
Read more about Intel i486 here

The AMD486 / AM486 was released by AMD in 1993.
Read more about AMD486 here

NOTE: Packages that are compiled for i486 architecture, are compatible with i486, i586, i686 & i786 architectures.

 
i586
Intel i586 was released in 1993. It was brand named Pentium. Also called P5, meant to be the 5th generation of x86 micro-architecture. In 1996, Pentium MMX was released based on this processor. It added new MMX instructions.
Read more about Intel i586 here

AMD K5 was released in 1996. It was AMD’s first x86 processor to be developed entirely in-house.
The K5 lacked MMX instructions, which Intel had started giving with this genre.
Read more about AMD K5 here

NOTE: Packages that are compiled for i586 architecture, are compatible with i586, i686 & i786 architectures.

 
i686
Intel i686 was released in 1995. It was brand named Pentium Pro. Also called P6, meant to be the 6th generation of x86 micro-architecture.
Read more about Intel i686 here

AMD K6 was released in 1997.  It included MMX instructions and an FPU.
It was complemented by AMD K6-2 in 1998, which introduced AMD’s 3D-Now!
AMD released AMD K6-III was released in1999
Read more about AMD K6 here

NOTE:Packages that are compiled for i686 architecture, is compatible with i686 & i786 architectures.

 
i786
Intel i786/80786/P7 was introduced in 2000. It was brand named Pentium 4.
It must be noted, these are unofficial names. Official name is P68 / Intel NetBurst Microarchitecture.
These CPU’s introduced the SSE2 & SSE3 Instructions set to accelerate calculations, transactions, media processing, 3D graphics, games etc. They also integrated Hyperthreading – that makes 1 Physical CPU works as 2 Logical & Virtual CPU’s.
It also came in two other versions
– Celeron (Low end – for Desktops/Laptops)
– Xeon (High end – for Workstations/Multiprocessor Server)
It was complemented by Pentium D & Pentium Extreme Edition Dual core CPUs.
(Intel’s later Itanium architecture was developed based on this processor.)
Read more about Intel i786 here

AMD introduced AMD K7 in 1999. It was brand named Athlon.
Read more about AMD K7 here

NOTE: Packages that are compiled for i786 architecture, is compatible with i786 architecture only.