Converting certificate formats

Function used to perform conversion of certificate formats

When a client certificate is issued from the K5 portal, it is downloaded in the PKCS#12 format. Depending on the application that uses a client certificate, it may be necessary to convert the certificate to the PEM format.

Converting certificate formats

An example of executing a command to convert a PKCS#12 format certificate to a PEM format certificate is given below.

The example in this chapter uses Openssl.

Note:

When operating a PKCS#12 format certificate, entry of a passphrase is necessary. For the <passphraseForPKCS#12> below, enter the passphrase for the certificate that was configured on the K5 portal.

  • Converting client certificate formats

    $ openssl pkcs12 -in <Client Certificate Name>.p12 -clcerts -nokeys -out <Client Certificate Name (User Defined)>
    Enter Import Password:<passphraseForPKCS#12>
MAC verified OK

  • Extracting the private key

    There are two methods for extracting private keys, "Encrypted private keys" and "Unencrypted private keys".

    Some applications may not be able to use "Encrypted private keys". Only use encrypted private keys after confirming that applications are able to use them.

    • Encrypted private keys

      $ openssl pkcs12 -in <Client Certificate>.p12 -nocerts -out <Name of the Private Key for the Client Certificate (User Defined)>
      Enter Import Password:<passphraseForPKCS#12>
MAC verified OK
Enter PEM pass phrase:<passphraseForPrivateKeyEncryption>
Verifying - Enter PEM pass phrase:<passphraseForPrivateKeyEncryption>
      Note:

      To create encrypted private keys, in addition to the passphrase to load the PKCS#12 format certificate, it is also necessary to enter a user defined passphrase for encryption.

      As this passphrase must be entered when the application actually loads the private key it helps increase the level of security.

    • Unencrypted private keys

      $ openssl pkcs12 -in <Client Certificate>.p12 -nocerts -nodes -out <Name of the Private Key for the Client Certificate (User Defined)>
      Enter Import Password:<passphraseForPKCS#12>
MAC verified OK

Confirming consistency of client certificates and private keys

It is necessary to use corresponding client certificates and private keys. If the client certificate and private key do not correspond, an error will occur.

The following is example of execution of the command to confirm that a client certificate and private key correspond.

  1. Display the information of a PEM format client certificate
    openssl x509 -modulus -noout -in <Client Certificate>
  2. Display the information of a private key
    openssl rsa -modulus -noout -in <Name of the Private Key for the Client Certificate>

When the information displayed for the above "1." and "2." matches the client certificate and private key correspond.