Yes, the Java keystore appears only to accept DER, but I agree, it's the exception rather than the rule. And, yes, a simple command:
openssl x509 -in cert.pem -inform PEM -out cert.der -outform DER does the trick--I just confirmed that it works. As I had seen quite a bit of discussion regarding this on the list, I was more curious than anything as to whether IPA would output directly in DER. I was also coming more from the point of training people to perform this function. Steve On Fri, Jan 6, 2012 at 1:58 PM, John Dennis <[email protected]> wrote: > On 01/06/2012 04:45 PM, Stephen Ingram wrote: >> >> I noticed a message on here some time ago about changing IPA to output >> certificates in PEM format instead of DER. I see that in version >> 2.1.4, the UI does indeed output in PEM format. It appears as though >> the CLI still outputs in DER. Is this the case? I agree that PEM is >> certainly more typical, however, when working with the Java keystore, >> it asks for DER format. Should I still be able to get that from IPA or >> should I just use openssl to convert it? > > > It's much better to use PEM format, it's portable and accepted by all PKI > software. > > The --out option of cert_show command line writes the cert in PEM format to > a file. > > Thus both the web UI and the command line both now support PEM. > > Not sure about the Java keystore, I would expect it should accept either DER > or PEM but if indeed it only support DER then it's trival to convert PEM to > DER. There should be an existing utility to do it. If not it's as simple as > taking the text between the PEM delimiters and base-64 decoding it. > > > -- > John Dennis <[email protected]> > > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
