Re: [Freeipa-users] PEM and DER certificate formats
On 01/06/2012 04:55 PM, Rob Crittenden wrote: The cli outputs a base64 blob of data. Yes, it output a base64 blob to stdout. But that base64 blob is completely non-standard as an exchange format, it's just a textual encoding of the binary DER data. However the cli can write PEM format to a file using the --out option. PEM is standard and you should have no problems finding code that accepts PEM. I would strongly suggest you stick to standard PEM and use utilities to convert it to DER only if the software you're importing it is borked and can't accept PEM. If you took that and ran it through a base64 decoder you'd have DER format. You can't get DER directly right now. We could probably add an option to write a file in DER format if you wanted to open an RFE on our trac instance. -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] PEM and DER certificate formats
Yes, the Java keystore appears only to accept DER, but I agree, it's the exception rather than the rule. And, yes, a simple command: openssl x509 -in cert.pem -inform PEM -out cert.der -outform DER does the trick--I just confirmed that it works. As I had seen quite a bit of discussion regarding this on the list, I was more curious than anything as to whether IPA would output directly in DER. I was also coming more from the point of training people to perform this function. Steve On Fri, Jan 6, 2012 at 1:58 PM, John Dennis wrote: > On 01/06/2012 04:45 PM, Stephen Ingram wrote: >> >> I noticed a message on here some time ago about changing IPA to output >> certificates in PEM format instead of DER. I see that in version >> 2.1.4, the UI does indeed output in PEM format. It appears as though >> the CLI still outputs in DER. Is this the case? I agree that PEM is >> certainly more typical, however, when working with the Java keystore, >> it asks for DER format. Should I still be able to get that from IPA or >> should I just use openssl to convert it? > > > It's much better to use PEM format, it's portable and accepted by all PKI > software. > > The --out option of cert_show command line writes the cert in PEM format to > a file. > > Thus both the web UI and the command line both now support PEM. > > Not sure about the Java keystore, I would expect it should accept either DER > or PEM but if indeed it only support DER then it's trival to convert PEM to > DER. There should be an existing utility to do it. If not it's as simple as > taking the text between the PEM delimiters and base-64 decoding it. > > > -- > John Dennis > > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] PEM and DER certificate formats
On 01/06/2012 04:45 PM, Stephen Ingram wrote: I noticed a message on here some time ago about changing IPA to output certificates in PEM format instead of DER. I see that in version 2.1.4, the UI does indeed output in PEM format. It appears as though the CLI still outputs in DER. Is this the case? I agree that PEM is certainly more typical, however, when working with the Java keystore, it asks for DER format. Should I still be able to get that from IPA or should I just use openssl to convert it? It's much better to use PEM format, it's portable and accepted by all PKI software. The --out option of cert_show command line writes the cert in PEM format to a file. Thus both the web UI and the command line both now support PEM. Not sure about the Java keystore, I would expect it should accept either DER or PEM but if indeed it only support DER then it's trival to convert PEM to DER. There should be an existing utility to do it. If not it's as simple as taking the text between the PEM delimiters and base-64 decoding it. -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] PEM and DER certificate formats
Stephen Ingram wrote: I noticed a message on here some time ago about changing IPA to output certificates in PEM format instead of DER. I see that in version 2.1.4, the UI does indeed output in PEM format. It appears as though the CLI still outputs in DER. Is this the case? I agree that PEM is certainly more typical, however, when working with the Java keystore, it asks for DER format. Should I still be able to get that from IPA or should I just use openssl to convert it? The cli outputs a base64 blob of data. If you took that and ran it through a base64 decoder you'd have DER format. You can't get DER directly right now. We could probably add an option to write a file in DER format if you wanted to open an RFE on our trac instance. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] PEM and DER certificate formats
I noticed a message on here some time ago about changing IPA to output certificates in PEM format instead of DER. I see that in version 2.1.4, the UI does indeed output in PEM format. It appears as though the CLI still outputs in DER. Is this the case? I agree that PEM is certainly more typical, however, when working with the Java keystore, it asks for DER format. Should I still be able to get that from IPA or should I just use openssl to convert it? Steve ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
