Archive for the ‘What / Why’ Category

NOTE: Please note that, this is a RIP OFF from the website http://www.sslshopper.com. Thanks for http://www.sslhopper.com for the valuable information provided. If anyone has any complaints, please contact me.

Different Platforms & Devices requires SSL certificates in different formats
eg:- A Windows Server uses .pfx files
An Apache Server uses .crt, .cer files

NOTE: Only way to tell the difference between PEM .cer and DER .cer is to open the file in a Text editor and look for the BEGIN/END statements.


PEM Format
It is the most common format that Certificate Authorities issue certificates in. It contains the ‘—–BEGIN CERTIFICATE—–” and “—–END CERTIFICATE—–” statements.

Several PEM certificates and even the Private key can be included in one file, one below the other. But most platforms(eg:- Apache) expects the certificates and Private key to be in separate files.
> They are Base64 encoded ACII files
> They have extensions such as .pem, .crt, .cer, .key
> Apache and similar servers uses PEM format certificates

DER Format
It is a Binary form of ASCII PEM format certificate. All types of Certificates & Private Keys can be encoded in DER format
> They are Binary format files
> They have extensions .cer & .der
> DER is typically used in Java platform

They contain “—–BEGIN PKCS—–” & “—–END PKCS7—–” statements. It can contain only Certificates & Chain certificates but not the Private key.
> They are Base64 encoded ASCII files
> They have extensions .p7b, .p7c
> Several platforms supports it. eg:- Windows OS, Java Tomcat

They are used for storing the Server certificate, any Intermediate certificates & Private key in one encryptable file.
> They are Binary format files
> They have extensions .pfx, .p12
> Typically used on Windows OS to import and export certificates and Private keys


Converting Certificates between different Formats

Convert PEM to DER
$ openssl x509 -outform der -in certificate.pem -out certificate.der

Convert PEM to P7B
$ openssl crl2pkcs7 -nocrl -certfile certificate.cer -out certificate.p7b -certfile CAcert.cer

Convert PEM to PFX
$ openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CAcert.crt


Convert DER to PEM
$ openssl x509 -inform der -in certificate.cer -out certificate.pem


Convert P7B to PEM
$ openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer

Convert P7B to PFX
$ openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer
$ openssl pkcs12 -export -in certificate.cer -inkey privateKey.key -out certificate.pfx -certfile CAcert.cer


Convert PFX to PEM
$ openssl pkcs12 -in certificate.pfx -out certificate.cer -nodes

NOTE: While converting PFX to PEM format, openssl will put all the Certificates and Private Key into a single file. You will need to open the file in Text editor and copy each Certificate & Private key(including the BEGIN/END statements) to its own individual text file and save them as certificate.cer, CAcert.cer, privateKey.key respectively.


Read Full Post »

/dev/random and /dev/urandom are special character files present since Linux kernel version 1.3.30.

They provide an interface to Kernel’s Random Number Generator.
The Random Number Generator gathers environmental noise from device drivers and other sources into entropy pool. It also keeps an estimate of Number of bits of noise in entropy pool. It is from this entropy pool, random numbers are generated


It will only return Random bytes from entropy pool. If entropy pool is empty, reads to /dev/random will be blocked until additional environmental noise is gathered. This is suited to high quality randomness, such as one-time pad or key generation.

TIP: Issue the command ‘cat /dev/random’ into your terminal without quotes. Move the mouse or type anything on the keyboard to see random characters being generated. Press CTRL+C to exit the situation.


It will return as many random bytes as requested. But if the entropy pool is empty, it will generate data using SHA, MD5 or any other algorithm. It never blocks the operation. Due to this, the values are vulnerable to theoretical cryptographic attack, though no known methods exist.

TIP: Issue the command ‘cat /dev/urandom’ into your terminal without quotes. Sit and watch random characters being generated, while you do nothing. Press CTRL+C to exit the situation.


Creating /dev/random & /dev/urandom, if your System doesn’t have them
Minor Device number of /dev/random – 1
Major Device number of /dev/random – 8
Minor Device number of /dev/urandom – 1
Major Device number of /dev/urandom – 9

STEP1: Creating character file with mode/permission as 644
# mknod -m 644 /dev/random 1 8

STEP2: Creating character file with mode/permission as 644
# mknod -m 644 /dev/urandom 1 9

STEP3: Changing ownership & group of created devices to ‘root’
# chown root:root /dev/random /dev/urandom

STEP4: Done


NOTE: These changes doesn’t persist across a reboot

Read Full Post »

Ever wondered what are those words i386/i486/i586/i686/i786 that comes after the name of RPM / DEB packages?
When it comes to understanding the compatibility of a package between different architectures, knowing these terms become important. The above coined terms are Processor architectures. Let’s have a look below…

i386     –     Intel i386/80386   (in 1985)          or          AMD386 / AM386 (in 1991)

i486     –     Intel i486/80486   (in 1989)          or          AMD486 / AM486 (in 1993)

i586     –     Intel Pentium         (in 1993)          or          AMD-K5 (in 1996)

i686     –     Intel Pentium Pro (in 1995)          or          AMD-K6 (in 1997)

i786     –     Intel Pentium 4      (in 2000)          or          AMD-K7 (in 1999)


Intel i386/80386 was introduced by Intel in 1985. It was a a 32-bit microprocessor.
As the original implementation of 32-bit extensions of 8086 architecture, the 8086 Instruction set, Programming model, Binary encodings are still the common denominator for all 32-bit x86 processors. The set of processors compatible with 80386 is collectively termed as x86 or i386 architecture. But Intel prefers the name IA-32.
Read more about Intel i386 here

The AMD386 / AM386 was released by AMD in 1991. It was a 100% compatible clone of Intel 80386. This was the processor that placed AMD as a legitimate competitor to Intel, rather than just a second source for x86 CPUs.
Read more about AMD386 here

NOTE: Packages that are compiled for i386 architecture, are compatible with i386, i486, i586, i686 & i786 architectures.

Intel i486 was released in 1989. It was a was a higher performance follow up on the Intel 80386 processor. The i486 wasn’t officially branded as 80486, because the court ruling prohibited from trademarking numbers. And later on, Intel began branding it’s chips with words.
Read more about Intel i486 here

The AMD486 / AM486 was released by AMD in 1993.
Read more about AMD486 here

NOTE: Packages that are compiled for i486 architecture, are compatible with i486, i586, i686 & i786 architectures.

Intel i586 was released in 1993. It was brand named Pentium. Also called P5, meant to be the 5th generation of x86 micro-architecture. In 1996, Pentium MMX was released based on this processor. It added new MMX instructions.
Read more about Intel i586 here

AMD K5 was released in 1996. It was AMD’s first x86 processor to be developed entirely in-house.
The K5 lacked MMX instructions, which Intel had started giving with this genre.
Read more about AMD K5 here

NOTE: Packages that are compiled for i586 architecture, are compatible with i586, i686 & i786 architectures.

Intel i686 was released in 1995. It was brand named Pentium Pro. Also called P6, meant to be the 6th generation of x86 micro-architecture.
Read more about Intel i686 here

AMD K6 was released in 1997.  It included MMX instructions and an FPU.
It was complemented by AMD K6-2 in 1998, which introduced AMD’s 3D-Now!
AMD released AMD K6-III was released in1999
Read more about AMD K6 here

NOTE:Packages that are compiled for i686 architecture, is compatible with i686 & i786 architectures.


Intel i786/80786/P7 was introduced in 2000. It was brand named Pentium 4.
It must be noted, these are unofficial names. Official name is P68 / Intel NetBurst Microarchitecture.
These CPU’s introduced the SSE2 & SSE3 Instructions set to accelerate calculations, transactions, media processing, 3D graphics, games etc. They also integrated Hyperthreading – that makes 1 Physical CPU works as 2 Logical & Virtual CPU’s.
It also came in two other versions
– Celeron (Low end – for Desktops/Laptops)
– Xeon (High end – for Workstations/Multiprocessor Server)
It was complemented by Pentium D & Pentium Extreme Edition Dual core CPUs.
(Intel’s later Itanium architecture was developed based on this processor.)
Read more about Intel i786 here

AMD introduced AMD K7 in 1999. It was brand named Athlon.
Read more about AMD K7 here

NOTE: Packages that are compiled for i786 architecture, is compatible with i786 architecture only.

Read Full Post »