A bit about PEM/CRT/CER/DER files:
Unfortunately there seems to be a bit of confusion about PEM and DER encoded certificate files. Technically speaking a certificate in PEM format is simply a X.509 certificate encoded in ASN1 (DER) encoding and then run through a Base64 encoder. Each Base64 encoded certificate is enclosed in BEGIN/END ASCII string tags. Multiple such certificates can be concatenated into a single file (using the Linux 'cat' command if necessary). This is what a single certificate and a chain of certificates in PEM format look like:Example 1: A single certificate in PEM format:
-----BEGIN CERTIFICATE----- MIIEIzCCAwugAwIBAgIJAIjKQlbSh33iMA0GCSqGSIb3DQEBBQUAMIGnMQswCQYD VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEUMBIGA1UEBwwLTG9zIEFuZ2Vs ZXMxFzAVBgNVBAoMDkxhenkgRHVkZSBJbmMuMRswGQYDVQQLDBJIYW1tb2NrIERl cGFydG1lbnQxFDASBgNVBAMMC1N1cmZlciBEdWRlMSEwHwYJKoZIhvcNAQkBFhJu b2JvZHlAbm93aGVyZS5jb20wHhcNMTMxMDMxMDgyNzIzWhcNMTYwODIwMDgyNzIz WjCBpzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFDASBgNVBAcM C0xvcyBBbmdlbGVzMRcwFQYDVQQKDA5MYXp5IER1ZGUgSW5jLjEbMBkGA1UECwwS SGFtbW9jayBEZXBhcnRtZW50MRQwEgYDVQQDDAtTdXJmZXIgRHVkZTEhMB8GCSqG SIb3DQEJARYSbm9ib2R5QG5vd2hlcmUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOC AQ8AMIIBCgKCAQEArylGf3zVhGQ4MoOuNH0PqdIx43t1qjOCTF1JnQFSHjvHgKUs iueG0PWJdHHkNACeKFBjKnHnbiri4wcNFV7Hgmz0cNVkoLcDTkXnG6JFSro8ddz0 J3LWEy8SBe4c3KXxyhxbf0L1O81Ax1vRbD9JxJXyyeoUis5YkYR37bCgnPOha2ZL yaViDcJib3lps0m6WVx/HiXWMpP4vOU3r2dGbO19HpdLo4yFxmjVUBimz/qYk+A/ zqOVLqtYp0rU8MUPSBL1t6sbzTgpMleWEZVNPwE3xzS/DVhJwHC/q1WOMlkzRXmb lnc3iipByxaS6cDBZ852VP3uRW7Kq8dfyceLewIDAQABo1AwTjAdBgNVHQ4EFgQU +WANOPp+8UmNGqEy5U+M9gD5W0cwHwYDVR0jBBgwFoAU+WANOPp+8UmNGqEy5U+M 9gD5W0cwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOCAQEArCXsPaRR0gwb kVo9y32t4j7Mf84WWfxvxnIhc31BRkl1fOhA0O6CtHMtzpRXbx2IlF2OxEsiS3Hr 6q0bkDEs+IBdw/T2xRFMj814RCQRUR3iR5yuOSnvGT6+nth1mzEP+kVpbvIQfRg2 H4qQEUWC2Bp65Tq4gVjG4difpyC+cTXxLK2Dr6IwnheXqCythO6fTKM7p1asxYc9 EbTfydorCuqhG/pUDMp0At6kqGcCYd5ZzXfD9Hopwn3AI8Nk9rEX9qfqlwXtwkQD 9j+TErlxUt+OzLRfawDECwxegCLxPU4DQt/btqAJd/7P4uCiC9Ah7i2ySWb3Dnd2 dGx4k0s26g== -----END CERTIFICATE-----
Example 2: A certificate chain in PEM format:
-----BEGIN CERTIFICATE----- MIIDnDCCAoSgAwIBAgIJAJmHnWWcvUFkMA0GCSqGSIb3DQEBBQUAMDcxDzANBgNV ** snip ** PGC1csm4MaulhuQCWrlXVRmWFC0hVYhzAClxF/Y0gadO/SaG+G5ceXGZPpcdwjaY 9d9ljwimr1xFkeB22yXyxw== -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIDzzCCAregAwIBAgIDAWweMA0GCSqGSIb3DQEBBQUAMIGNMQswCQYDVQQGEwJB ** snip ** mYHovjrHF1D2t8b8m7CKa9aIA5GPBnc6hQLdmNVDeD/GMBWsm2vLV7eJUYs66MmE DNuxUCAKGkq6ahq97BvIxYSazQ== -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIFtTCCA52gAwIBAgIIYY3HhjsBggUwDQYJKoZIhvcNAQEFBQAwRDEWMBQGA1UE ** snip ** r0CodaxWkHS4oJyleW/c6RrIaQXpuvoDs3zk4E7Czp3otkYNbn5XOmeUwssfnHdK Z05phkOTOPu220+DkdRgfks+KzgHVZhepA== -----END CERTIFICATE-----
Certificate files come with a confusing variety of file extensions depending on the encoding:
- *.pem - Certificate in PEM format (ASN1 DER and Base64 encoded). This file extension is common on Linux/Unix systems.
- *.crt - Certificate is either in PEM format or ASN1 DER encoded. Recognized by Windows and Linux/Unix.
- *.cer - Certificate is either in PEM format or ASN1 DER encoded. Alternate form of '*.crt' that is recognized by Windows.
- *.der - Certificate is ASN1 DER encoded only.
openssl x509 -inform DER -outform PEM -in foobar.crt -out foobar.pem
This command also works in reverse to transcode PEM encoded certificates back to ASN1 DER format.
Adding your certificate to the global keychain in Fedora 19
It turns out that once you know what the difference between *.pem, *.crt, *.cer and *.der files is adding your Websense certificate to Fedora's global certificate chain is pretty simple. Your Websense system administrator should be able to provide you with a root authority certificate for your Websense system. Once you have that, all you have to do is, get a root shell, copy your *.pem file to the right directory and run one command. I prefer to back up the generated keychains that shipped with Fedora 19 just in case but you can skip that step if you want to:$ su -
$ cd /etc/pki/ca-trust/extracted/pem
$ mv email-ca-bundle.pem email-ca-bundle.bak
$ mv objsign-ca-bundle.pem objsign-ca-bundle.bak
$ mv tls-ca-bundle.pem tls-ca-bundle.bak
$ cp /path/to/your/certificate/foo.pem /etc/pki/ca-trust/source/anchors/
$ update-ca-trust
The update-ca-trust command takes any PEM or DER encoded certificates you added to the source/anchors directory and adds them to your global certificate chains. You should now see a new set of certificate chains with the *.pem files extension in the /etc/pki/ca-trust/extracted/pem directory (/usr/share/pki/ca-trust-source/anchors/ on some systems) and each chain should contain a copy of your certificate. To make sure your certificate made it into the each of the new keychains just grab a random Base64 encoded line from the PEM encoded certificate you wanted to add and grep for it. The string should appear in the *.pem files but not the *.bak files:
$ grep -l BAQDAgEGMA0GCSqGSIb3DQEBDAUAA4ICAQCzV00QYk465KzquByvMiPIs0laUZx2\
/etc/pki/ca-trust/extracted/pem/*.*
/etc/pki/ca-trust/extracted/pem/email-ca-bundle.pem
/etc/pki/ca-trust/extracted/pem/objsign-ca-bundle.pem
/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
For more information you might want to read the man file for update-ca-trust which, unlike some other man files, is actually human readable.
No comments:
Post a Comment