Ok, this one should be in the docs, but unfortunately, there is only a completely outdated note in there.
For any PKI certificate there are 3 parts: 1. The secret private key, which only the relevant computer should know and which no-one else should be able to see or steal. This can be stored in hardware (at a price), in an encrypted PKCS12 file (extension .pfx or .p12) with the other two parts (mostly some Microsoft programs need this), in an encrypted DER format file (extension varies with the program) (rarely used) or in a PEM-encoded encrypted DER file (extension .key) (the most common for non-Microsoft products such as Apache). 2. The public key, which everybody will know. Most of the time this is simply included as a field inside the cert (part 3 below), only during the first steps of generating the cert may you temporarily need this as a on its own. This may be stored in DER format (rare) or PEM-encoded DER format (the usual). The file extension varies but is often .pub, .der or .pem. 3. The certificate, which contains the public key, the name of the server or person or company etc. that owns the matching private key, various other important information and a signature (by the same or a different public key) on all these facts. The certificate may be stored with the private key in a PKCS12 file (extension .pfx or .p12) with the other two parts (mostly some Microsoft programs need this), in an unencrypted DER file (extension .crt or .cer) (only Microsoft IIS needs this) or in an unencrypted PEM-encoded DER file (extension .crt or .cer) (everything else uses this). On 25-07-2010 00:49, Warron French wrote:
I have been reading HOWTOs all over the internet trying to figure out how to generate a self-signed and/or CA (mine) signed certificate. What I can't understand is, WHY do I need an RSA "key" or certificate. I think it's a key. WHY do I need a PEM certificate, and why a DER certificate? No where on any website does it say WHEN to use one type of certificate or just a key? Apache httpd.conf files will reference both .key and .crt files in their syntax; isn't the .crt a PEM-encoded certificate file? If so, why not give it a more meaningful .pem extension instead. Can anyone clarify for me? I am trying not to chase my tail and want to learn this stuff on a deeper level. When do I know if I need to perform the openssl req and then openssl x509 commands and NOT the openssl rsa command. This is all very confusing and I see no simplified (non-doctoral) documentation on this material. Anyone have a book to suggest? Thanks to anyone that can respond.
______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [email protected] Automated List Manager [email protected]
