[Freeipa-users] PEM and DER certificate formats

[Stephen Ingram]

Yes, the Java keystore appears only to accept DER, but I agree, it's
the exception rather than the rule. And, yes, a simple command:

openssl x509 -in cert.pem -inform PEM -out cert.der -outform DER

does the trick--I just confirmed that it works. As I had seen quite a
bit of discussion regarding this on the list, I was more curious than
anything as to whether IPA would output directly in DER. I was also
coming more from the point of training people to perform this
function.

Steve

On Fri, Jan 6, 2012 at 1:58 PM, John Dennis <jdennis at redhat.com> wrote:
> On 01/06/2012 04:45 PM, Stephen Ingram wrote:
>>
>> I noticed a message on here some time ago about changing IPA to output
>> certificates in PEM format instead of DER. I see that in version
>> 2.1.4, the UI does indeed output in PEM format. It appears as though
>> the CLI still outputs in DER. Is this the case? I agree that PEM is
>> certainly more typical, however, when working with the Java keystore,
>> it asks for DER format. Should I still be able to get that from IPA or
>> should I just use openssl to convert it?
>
>
> It's much better to use PEM format, it's portable and accepted by all PKI
> software.
>
> The --out option of cert_show command line writes the cert in PEM format to
> a file.
>
> Thus both the web UI and the command line both now support PEM.
>
> Not sure about the Java keystore, I would expect it should accept either DER
> or PEM but if indeed it only support DER then it's trival to convert PEM to
> DER. There should be an existing utility to do it. If not it's as simple as
> taking the text between the PEM delimiters and base-64 decoding it.
>
>
> --
> John Dennis <jdennis at redhat.com>
>
> Looking to carve out IT costs?
> www.redhat.com/carveoutcosts/