对于 Apache SSL 证书,我是否需要将 .CER 转换为 .CRT?如果是这样,如何?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/642284/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Do I need to convert .CER to .CRT for Apache SSL certificates? If so, how?
提问by M.N
I need to setup an Apache 2 server with SSL.
我需要使用 SSL 设置一个 Apache 2 服务器。
I have my *.key file, but all the documentation I've found online, *.crt files are specified, and my CA only provided me with a *.cer file.
我有我的 *.key 文件,但我在网上找到的所有文档、*.crt 文件都是指定的,而我的 CA 只为我提供了一个 *.cer 文件。
Are *.cer files the same as *.crt? If not, how can I convert CER to CRT format?
*.cer 文件是否与 *.crt 相同?如果没有,我如何将 CER 转换为 CRT 格式?
采纳答案by M.N
File extensions for cryptographic certificates aren't really as standardized as you'd expect. Windows by default treats double-clicking a .crtfile as a request to import the certificate into the Windows Root Certificate store, but treats a .cerfile as a request just to view the certificate. So, they're different in the sense that Windows has some inherent different meaning for what happens when you double click each type of file.
加密证书的文件扩展名并不像您期望的那样标准化。默认情况下,Windows 将双击.crt文件视为将证书导入 Windows 根证书存储.cer的请求,但将文件视为仅用于查看证书的请求。因此,它们是不同的,因为 Windows 对双击每种类型的文件时所发生的情况具有一些固有的不同含义。
But the way that Windows handles them when you double-click them is about the only difference between the two. Both extensions just represent that it contains a public certificate. You can rename a certificate file to use one extension in place of the other in any system or configuration file that I've seen. And on non-Windows platforms (and even on Windows), people aren't particularly careful about which extension they use, and treat them both interchangeably, as there's no difference between them as long as the contents of the file are correct.
但是当您双击它们时 Windows 处理它们的方式是两者之间的唯一区别。这两个扩展只代表它包含一个公共证书。您可以重命名证书文件以在我见过的任何系统或配置文件中使用一个扩展名代替另一个。而在非 Windows 平台上(甚至在 Windows 上),人们并不会特别注意他们使用哪个扩展名,而是将它们互换对待,因为只要文件内容正确,它们之间就没有区别。
Making things more confusing is that there are two standard ways of storing certificate data in a file: One is a "binary" X.509 encoding, and the other is a "text" base64 encoding that usually starts with "-----BEGIN CERTIFICATE-----". These encode the same data but in different ways. Most systems accept both formats, but, if you need to, you can convert one to the other via openssl or other tools. The encoding within a certificate file is really independent of which extension somebody gave the file.
更令人困惑的是,在文件中存储证书数据有两种标准方式:一种是“二进制”X.509 编码,另一种是通常以“ -----BEGIN CERTIFICATE-----”开头的“文本”base64 编码。这些编码相同的数据,但方式不同。大多数系统都接受这两种格式,但是,如果需要,您可以通过 openssl 或其他工具将一种格式转换为另一种格式。证书文件中的编码实际上与某人给文件的扩展名无关。
回答by Dmitry Grigansky
According to documentation mod_ssl:
根据文档mod_ssl:
SSLCertificateFile:
Name: SSLCertificateFile
Description: Server PEM-encoded X.509 certificate file
Certificate file should be PEM-encoded X.509 Certificate file:
证书文件应该是 PEM 编码的 X.509 证书文件:
openssl x509 -inform DER -in certificate.cer -out certificate.pem
回答by Liibo
Basically there are two CER certificate encoding types, DER and Base64. When type DER returns an error loading certificate (asn1 encoding routines), try the PEM and it shall work.
基本上有两种 CER 证书编码类型,DER 和 Base64。当 DER 类型返回错误加载证书(asn1 编码例程)时,尝试 PEM,它应该可以工作。
openssl x509 -inform DER -in certificate.cer -out certificate.crt
openssl x509 -inform DER -in certificate.cer -out certificate.crt
openssl x509 -inform PEM -in certificate.cer -out certificate.crt
openssl x509 -inform PEM -in certificate.cer -out certificate.crt
回答by Karl Ward
I assume that you have a .cer file containing PKCS#7-encoded certificate data and you want to convert it to PEM-encoded certificate data (typically a .crt or .pem file). For instance, a .cer file containing PKCS#7-encoded data looks like this:
我假设您有一个包含 PKCS#7 编码的证书数据的 .cer 文件,并且您想将其转换为 PEM 编码的证书数据(通常是 .crt 或 .pem 文件)。例如,包含 PKCS#7 编码数据的 .cer 文件如下所示:
-----BEGIN PKCS7----- MIIW4gYJKoZIhvcNAQcCoIIW0zCCFs8CAQExADALBgkqhkiG9w0BBwGggha1MIIH ... POI9n9cd2cNgQ4xYDiKWL2KjLB+6rQXvqzJ4h6BUcxm1XAX5Uj5tLUUL9wqT6u0G +bKhADEA -----END PKCS7-----
PEM certificate data looks like this:
PEM 证书数据如下所示:
-----BEGIN CERTIFICATE----- MIIHNjCCBh6gAwIBAgIQAlBxtqKazsxUSR9QdWWxaDANBgkqhkiG9w0BAQUFADBm ... nv72c/OV4nlyrvBLPoaS5JFUJvFUG8RfAEY= -----END CERTIFICATE-----
There is an OpenSSL command that will convert .cer files (with PKCS#7 data) to the PEM data you may be expecting to encounter (the BEGIN CERTIFICATEblock in the example above). You can coerce PKCS#7 data into PEM format by this command on a file we'll call certfile.cer:
有一个 OpenSSL 命令可以将 .cer 文件(带有 PKCS#7 数据)转换为您可能期望遇到的 PEM 数据(BEGIN CERTIFICATE上面示例中的块)。您可以通过以下命令将 PKCS#7 数据强制转换为 PEM 格式的文件,我们将称之为 certfile.cer:
openssl pkcs7 -text -in certfile.cer -print_certs -outform PEM -out certfile.pem
openssl pkcs7 -text -in certfile.cer -print_certs -outform PEM -out certfile.pem
Note that a .cer or .pem file might contain one or more certificates (possibly the entire certificate chain).
请注意,.cer 或 .pem 文件可能包含一个或多个证书(可能是整个证书链)。
回答by Spawnrider
CERis an X.509 certificate in binary form, DERencoded.
CRTis a binary X.509 certificate, encapsulated in text (base-64) encoding.
CER是二进制形式的 X.509 证书,DER编码。
CRT是二进制 X.509 证书,封装在文本 ( base-64) 编码中。
It is not the same encoding.
它不是相同的编码。
回答by Alexander Presber
The answer to the question how to convert a .cer file into a .crt file (they are encoded differently!) is:
如何将 .cer 文件转换为 .crt 文件(它们的编码方式不同!)这个问题的答案是:
openssl pkcs7 -print_certs -in certificate.cer -out certificate.crt
回答by Hugo L.M
I use command:
我使用命令:
openssl x509 -inform PEM -in certificate.cer -out certificate.crt
openssl x509 -inform PEM -in certificate.cer -out certificate.crt
But CER is an X.509 certificate in binary form, DER encoded. CRT is a binary X.509 certificate, encapsulated in text (base-64) encoding.
但 CER 是二进制形式的 X.509 证书,DER 编码。CRT 是二进制 X.509 证书,封装在文本 (base-64) 编码中。
Because of that, you maybe should use:
因此,您可能应该使用:
openssl x509 -inform DER -in certificate.cer -out certificate.crt
openssl x509 -inform DER -in certificate.cer -out certificate.crt
And then to import your certificate:
然后导入您的证书:
Copy your CA to dir:
将您的 CA 复制到目录:
/usr/local/share/ca-certificates/
/usr/local/share/ca-certificates/
Use command:
使用命令:
sudo cp foo.crt /usr/local/share/ca-certificates/foo.crt
sudo cp foo.crt /usr/local/share/ca-certificates/foo.crt
Update the CA store:
更新 CA 存储:
sudo update-ca-certificates
sudo update-ca-certificates
回答by Mustafa Burak Kalkan
If your cer file has binary format you must convert it by
如果您的 cer 文件具有二进制格式,则必须将其转换为
openssl x509 -inform DER -in YOUR_CERTIFICATE.cer -out YOUR_CERTIFICATE.crt
回答by CoverosGene
The .cer and .crt file should be interchangable as far as importing them into a keystore.
只要将 .cer 和 .crt 文件导入密钥库,它们就应该是可互换的。
Take a look at the contents of the .cer file. Erase anything before the -----BEGIN CERTIFICATE-----line and after the -----END CERTIFICATE-----line. You'll be left with the BEGIN/END lines with a bunch of Base64-encoded stuff between them.
查看 .cer 文件的内容。擦除该-----BEGIN CERTIFICATE-----行之前和该-----END CERTIFICATE-----行之后的任何内容。你会留下 BEGIN/END 行,它们之间有一堆 Base64 编码的东西。
-----BEGIN CERTIFICATE-----
MIIDQTCCAqqgAwIBAgIJALQea21f1bVjMA0GCSqGSIb3DQEBBQUAMIG1MQswCQYD
...
pfDACIDHTrwCk5OefMwArfEkSBo/
-----END CERTIFICATE-----
Then just import it into your keyfile using keytool.
然后只需使用 keytool 将其导入您的密钥文件。
keytool -import -alias myalias -keystore my.keystore -trustcacerts -file mycert.cer
回答by Mutuma
Just do
做就是了
openssl x509 -req -days 365 -in server.cer -signkey server.key -out server.crt
