Yes, the Java keystore appears only to accept DER, but I agree, it's
the exception rather than the rule. And, yes, a simple command:

openssl x509 -in cert.pem -inform PEM -out cert.der -outform DER

does the trick--I just confirmed that it works. As I had seen quite a
bit of discussion regarding this on the list, I was more curious than
anything as to whether IPA would output directly in DER. I was also
coming more from the point of training people to perform this


On Fri, Jan 6, 2012 at 1:58 PM, John Dennis <> wrote:
> On 01/06/2012 04:45 PM, Stephen Ingram wrote:
>> I noticed a message on here some time ago about changing IPA to output
>> certificates in PEM format instead of DER. I see that in version
>> 2.1.4, the UI does indeed output in PEM format. It appears as though
>> the CLI still outputs in DER. Is this the case? I agree that PEM is
>> certainly more typical, however, when working with the Java keystore,
>> it asks for DER format. Should I still be able to get that from IPA or
>> should I just use openssl to convert it?
> It's much better to use PEM format, it's portable and accepted by all PKI
> software.
> The --out option of cert_show command line writes the cert in PEM format to
> a file.
> Thus both the web UI and the command line both now support PEM.
> Not sure about the Java keystore, I would expect it should accept either DER
> or PEM but if indeed it only support DER then it's trival to convert PEM to
> DER. There should be an existing utility to do it. If not it's as simple as
> taking the text between the PEM delimiters and base-64 decoding it.
> --
> John Dennis <>
> Looking to carve out IT costs?

Freeipa-users mailing list

Reply via email to