SSL Cheat Sheet

Common X.509 Transport File Extensions

.DER : Binary encoding scheme for certificates.
Additionally, .crt and .cer extensions may be used on DER encoded certificate files.

.PEM : Base64 encoded ASCII files.
May be used to encapsulate certificate or key data.

Common X.509 Certificate File Extensions

.CRT :  Certificate file (Nix).  Enclosed certificate data may be encoded as binary DER or ASCII PEM
Most commonly used on nix systems but near synonymous with Microsoft .CER file extension

.CER :  Certificate file (Microsoft).  Enclosed certificate data may be encoded as binary DER or ASCII Base64 (PEM)

.KEY : Private and public key data.  Enclosed key data may be encoded as binary DER or ASCII Base64 (PEM)

.p7s : Microsoft PEM (ASCII) bundle file used to encapsulate certificate and key data.  Import directly to IIS10

.pfx : Microsoft DER (Binary) bundle file user to encapsulate certificate and key data.  Export directly from IIS10

Decode PEM (ASCII Base64) encoded data file

openssl x509 -in cert.pem -text -noout
openssl x509 -in cert.crt -text -noout
openssl x509 -in cert.cer -text -noout

Decode DER (binary) encoded data file

openssl x509 -in cert.der -inform der -text -noout

Incompatible format errors

Attempting to decode pem as der or vice-versa may produce one or more of the following errors

unable to load certificate
13978:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1306:
13978:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:380:Type=X509

Extract keys and certificates from .pfx bundle file

Export the PFX bundle from IIS
A password is required to encrypt the private key

Extract ASCII PEM from DER encoded binary pfx file
openssl pkcs12 -in bundle.pfx -out bundel.pem
cat bundle.pem

Extract the private key
The password used to encrypt the pfx is required
openssl pkcs12 -in bundle.pfx -nocerts -out private.key

Note when prompted for a password.
First, Enter the password used to export the pfx bundle
Second, Enter a (new) import password to encrypt the new file
Third, Verify the import password
Failure to provide an import password produces an empty certificate file

Apache requires the key in PEM format, with the import password stripped out.
openssl rsa -in private.key -outform PEM -out private.key.pem

Extract the intermediate certificate chain
openssl pkcs12 -in bundle.pfx -cacerts -nokeys -out intermediate.crt

Note, SSLLabs will flag an 'anchor' issue if the root authority (digicert)
is included with the intermediate authority (RapidSSL) certificate
The root authority certificate can be safely removed from using a text editor
Client browsers should download the root certificate directly from the root authority

Extract the certificate
openssl pkcs12 -in bundle.pfx -clcerts -nokeys -out INT_CA.crt

Copy certificate and key files to the respective directories

/etc/pki/tls/certs
/etc/pki/tls/private

The original bundle, temporary and transitional files should be removed from the system on completion