Web and SMTP Certificate File Format

To see how this inclusion page fits in with similar ones, perhaps see one of

Certificate Format Used by most Web and SMTP Servers

IncludeCertWebFormat

Here is the format of certificate files used for web , SMTP and perhaps other servers. The private keys must not be world-readable, but the certificates themselves can. Typically, the private keys are stored in not-world-readable files in a subdirectory "private" which can also be not-world-readable.

root@services08.student.cs>2# pwd
/fsys1/.software/local/sslCerts-1/config/certs
root@services08.student.cs>2# cat private/httpsd-key.pem
-----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEAzIFZVDKTDnooK5rCFVwKVDVpirsOxh5oqudSIUyxPH5pG7wJ
vGGBwdHgoyo/J9LZEieBWcqlLXXMK7IALAmo3MKJ8V8A3G65DrD2nc0PbZFWlu8D
WadeM53hKBcAcSilFR+IjAiAPK5w0xm5jfFL48nfnWDHdwcc2wILYnQLgwDORLH4
1fkGYGtGfGKA8QLtFpR1SJOFnNFwq4GAb1ibIHEitIfAQG3LEpn0bUKACDuKAJVI
/yI+AUlBS92r/YPzE0Hs07DwcqB0cqQk1E0AIkaWyTzSHFnvI0Izv+HBOFhbIquD
MbNlE8u8QxF7Gdt8St5DKm3VXmFnzYsk5Bj9aQIDAQABAoIBAQCfQWurIedbMs3t
hwr1T0PL5/xUyO7sYenojVNsEylCjr6Tlo+OX/CIW0SwS8n63Tul45Xbsu+Gw2FH
9cokgTE7GVQK34zwHFmIk065/GKzVKc1ytO1EZ1OXPhmG+OAO8Ky/Gd9hXE30DCU
dEgHvYz3ytGU4TT0AFn8Q09SUERWsvkztQQI3R/yMdekaGQf3LP8whKj+IRKBJgN
LfJelGCuaq5UfyiRX15tu4YpES6cZ0gB0ZT3/FhbS3tfPFX7rb6FyDowxBS5cRTk
usCqURDy4U6/Zb4QASUc1vNxzJhIc0kMHwNAYbrwgIkIz3dPh8MyzYilZAkA4rLz
XJY8Wk4BAoGBAO9aH0cCl8xjJscnUcHXGJDW8m3MznzAWZ03NZ3jAHyxLrYuAF+6
SsubS65tmMoNf15slB4oOb6m2WtctqqOMa1xxkTEzKwOHpv3sSWGi/DpvggwgahN
l+HxBS6eX4kRDQr6Zqj8EbjNdLQWhsfsL6nPKriOym9Dbi4qbZlBx9TxAoGBANq6
v64VlggXyJdgyGRejRo1sNb1M+2zl7zkpXRAlnt6ie3iS5mqEndIyXf0q8dyjKLL
ZN9uGx4vDwhDBcDEhAASAn0OMrYCSJcumz/OE5Zk4ltEx52rh3VR4R/QBwjL7HY4
4cITQas4YLw+egvEZguIeoWEXD0rZ3+XR6HcTM/5AoGBAKbv13LCdzdBTFGItfgZ
WnPixxEX0EioK5iAYi/tnHBbb7X2naImn3YkqQNOQ0thYJ1t41ypN6UmX+wGrQyF
wlYzTVK3Y/z4mBa2CeKfVclAbZ7une/RtoYKgU/De+RwdQVcIe/oZz/aZHQaZgTY
UWIBMM2qIby6bgVa6DgE7igxAoGBAK+3QQ+wJbRgrvP1e2cukjqREXzOxaXbFjZY
lRa8YGfYPIBPwJ41A9qyLa/hbjKvMo4Bygq4oK5x7aicdz2yYbzQuxEN2+1eDkTt
2yi5/ABhEXty2M4wo4S7f5iX/V6yvEcJUUwhPis4AnaX1mInqDbxsEQc3iECAoZ8
2L4OheK5AoGAdJLuCK/VqB+bjqdSuv+id4UhVyB4cPqkNyHt3Yqydi+KYYj2iIAe
Kel0739XTJXv4GaL6T4Cl5ZZHxajTzrbV36XthSOfIBE3IAdeEcwWoQF4ISwEyLP
vrnRcgUQEWUbSxSGU+OZDqa80E6Uqe4lPLnXC2BMxdGWNTV1AN4gsF8=
-----END RSA PRIVATE KEY-----
root@services08.student.cs>2# 
root@services08.student.cs>2# cat httpsd.pem
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            01:00:00:00:00:01:27:e4:b2:1c:14
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: OU=Organization Validation CA, O=GlobalSign, CN=GlobalSign Organization Validation CA
        Validity
            Not Before: Apr  9 21:30:10 2010 GMT
            Not After : May 20 13:14:24 2011 GMT
        Subject: C=CA, ST=Ontario, L=Waterloo, O=University of Waterloo, CN=www.student.cs.uwaterloo.ca
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
                    00:b2:35:32:33:ed:6c:f4:6d:b5:5c:39:55:b7:2f:
                    1c:ca:b4:8f:0e:5f:58:dc:4e:c5:8f:50:a0:83:04:
                    bd:48:ac:48:49:ed:a1:6d:4d:d6:ef:86:2a:0c:2a:
                    c3:87:57:c0:37:9b:20:03:72:f1:a0:4f:2a:7d:4b:
                    b4:51:e1:13:03:37:14:f5:49:91:25:21:ca:e0:a6:
                    e2:71:e4:23:d2:ff:51:ff:d1:a4:b4:f2:9b:7d:4e:
                    cd:49:4f:73:a3:34:5e:a0:f0:7d:ad:11:11:3b:46:
                    1d:cb:c5:d2:95:69:50:18:0c:f4:1b:d3:d9:af:7f:
                    1c:f4:77:de:c0:20:28:0d:71
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Authority Key Identifier: 
                keyid:7D:6D:2A:EC:66:AB:A7:51:36:AB:02:69:F1:70:8F:C4:59:0B:9A:1F

            Authority Information Access: 
                CA Issuers - URI:http://secure.globalsign.net/cacert/orgv1.crt

            X509v3 CRL Distribution Points: 
                URI:http://crl.globalsign.net/OrganizationVal1.crl

            X509v3 Subject Key Identifier: 
                DC:55:92:06:B7:F7:0A:D5:4C:78:C3:AA:1D:9E:71:FA:BA:2D:90:04
            X509v3 Basic Constraints: 
                CA:FALSE
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication, Microsoft Server Gated Crypto
            X509v3 Certificate Policies: 
                Policy: 1.3.6.1.4.1.4146.1.20
                  CPS: http://www.globalsign.net/repository/

            Netscape Cert Type: 
                SSL Client, SSL Server
            X509v3 Subject Alternative Name: 
                DNS:www.student.cs.uwaterloo.ca, DNS:student.cs.uwaterloo.ca
    Signature Algorithm: sha1WithRSAEncryption
        3f:04:fd:0d:9f:dc:e1:9e:c3:df:25:c6:a4:7b:d3:80:4a:11:
        85:d7:c2:5a:be:46:92:25:62:f1:ae:c0:88:53:cb:02:dd:10:
        07:05:e9:dc:ef:c3:7b:fd:67:44:ec:c1:f6:45:e8:d6:be:26:
        56:51:94:41:4c:c7:51:45:4d:52:5e:a8:e2:08:82:b7:58:5f:
        44:f8:1c:21:c4:6c:c7:37:d4:2f:a3:9e:f2:80:c9:14:b2:8f:
        77:f5:6e:81:0b:27:b3:08:14:43:2e:5b:e0:1f:9b:02:60:36:
        07:e6:8f:c9:cf:34:40:19:67:de:93:a3:fe:3c:b4:17:66:4f:
        7e:e9:c5:f3:8f:91:9c:18:7f:3b:b1:c7:8f:7a:a6:ba:e1:30:
        51:4b:6c:ca:33:7e:d6:91:0e:69:27:46:a4:08:2e:a7:7d:d5:
        06:82:ca:3c:e2:48:1d:48:5d:1a:35:42:48:53:50:60:40:6b:
        b6:b0:00:39:0d:af:b5:45:9d:ca:2d:0b:61:be:b8:c0:2e:05:
        7d:9a:43:c8:b2:d5:81:a0:10:12:fd:21:a2:39:6a:5f:8b:90:
        70:5c:60:e0:ef:ad:d4:c6:6c:1b:70:36:9c:2c:2b:88:79:a5:
        82:dc:a3:37:6c:94:2d:f7:c2:1f:be:b1:37:60:47:08:6a:70:
        50:81:fa:52
-----BEGIN CERTIFICATE-----
MIIEnTCCA4WgAwIBAgILAQAAAAABJ+SyHBQwDQYJKoZIhvcNAQEFBQAwajEjMCEG
A1UECxMaT3JnYW5pemF0aW9uIFZhbGlkYXRpb24gQ0ExEzARBgNVBAoTCkdsb2Jh
bFNpZ24xLjAsBgNVBAMTJUdsb2JhbFNpZ24gT3JnYW5pemF0aW9uIFZhbGlkYXRp
b24gQ0EwHhcNMTAwNDA5MjEzMDEwWhcNMTEwNTIwMTMxNDI0WjB5MQswCQYDVQQG
EwJDQTEQMA4GA1UECBMHT250YXJpbzERMA8GA1UEBxMIV2F0ZXJsb28xHzAdBgNV
BAoTFlVuaXZlcnNpdHkgb2YgV2F0ZXJsb28xJDAiBgNVBAMMG3d3dy5zdHVkZW50
LmNzLnV3YXRlcmxvby5jYTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAsjUy
M+1s9G21XDlVty8cyrSPDl9Y3E7Fj1CggwS9SKxISe2hbU3W74YqDCrDh1fAN5sg
A3LxoE8qfUu0UeETAzcU9UmRJSHK4KbiceQj0v9R/9GktPKbfU7NSU9zozReoPB9
rRERO0Ydy8XSlWlQGAz0G9PZr38c9HfewCAoDXECAwEAAaOCAbcwggGzMB8GA1Ud
IwQYMBaAFH1tKuxmq6dRNqsCafFwj8RZC5ofMEkGCCsGAQUFBwEBBD0wOzA5Bggr
BgEFBQcwAoYtaHR0cDovL3NlY3VyZS5nbG9iYWxzaWduLm5ldC9jYWNlcnQvb3Jn
djEuY3J0MD8GA1UdHwQ4MDYwNKAyoDCGLmh0dHA6Ly9jcmwuZ2xvYmFsc2lnbi5u
ZXQvT3JnYW5pemF0aW9uVmFsMS5jcmwwHQYDVR0OBBYEFNxVkga39wrVTHjDqh2e
cfq6LZAEMAkGA1UdEwQCMAAwDgYDVR0PAQH/BAQDAgWgMCkGA1UdJQQiMCAGCCsG
AQUFBwMBBggrBgEFBQcDAgYKKwYBBAGCNwoDAzBLBgNVHSAERDBCMEAGCSsGAQQB
oDIBFDAzMDEGCCsGAQUFBwIBFiVodHRwOi8vd3d3Lmdsb2JhbHNpZ24ubmV0L3Jl
cG9zaXRvcnkvMBEGCWCGSAGG+EIBAQQEAwIGwDA/BgNVHREEODA2ght3d3cuc3R1
ZGVudC5jcy51d2F0ZXJsb28uY2GCF3N0dWRlbnQuY3MudXdhdGVybG9vLmNhMA0G
CSqGSIb3DQEBBQUAA4IBAQA/BP0Nn9zhnsPfJcake9OAShGF18JavkaSJWLxrsCI
U8sC3RAHBenc78N7/WdE7MH2RejWviZWUZRBTMdRRU1SXqjiCIK3WF9E+BwhxGzH
N9Qvo57ygMkUso939W6BCyezCBRDLlvgH5sCYDYH5o/JzzRAGWfek6P+PLQXZk9+
6cXzj5GcGH87scePeqa64TBRS2zKM37WkQ5pJ0akCC6nfdUGgso84kgdSF0aNUJI
U1BgQGu2sAA5Da+1RZ3KLQthvrjALgV9mkPIstWBoBAS/SGiOWpfi5BwXGDg763U
xmwbcDacLCuIeaWC3KM3bJQt98IfvrE3YEcIanBQgfpS
-----END CERTIFICATE-----
root@services08.student.cs>2# 

Although I based this on actual certificates, I substituted an incorrect private key.

The openssl command can be used, as in openssl x509 -text, using one of the certificate portions as input. That will show a readable (well, verbose) form of the certificate. That can be useful to help be sure you are replacing the correct host certificate, and also to check the expiry date, etc. Typically, as is shown here, the previous installer will include that information in the .pem file. But it is optional, and occasionally the text may not match the certificate.

The following matches a particular sequence known to exist in the encoding of the OrganizationSSL certificate, in order to find and extract it from the cacert.pem file where the Apache web software is typically configured to find it.

     perl -ane < /software/sslCerts/config/certs/cacert.pem \
'if(/---BEGIN C/){$c="";$p=0}; \
if(/^c738B0E0t6pu7qfb0/){$p=1}; \
$c.=$_;if(/---END C/){if($p){print $c;$p=0}}'
To see details of that certificate, you could even do...
     perl -ane < /software/sslCerts/config/certs/cacert.pem \
'if(/---BEGIN C/){$c="";$p=0}; \
if(/^c738B0E0t6pu7qfb0/){$p=1}; \
$c.=$_;if(/---END C/){if($p){print $c;$p=0}}' | openssl x509 -text

Relevant Apache config lines will look like...

root@services08.student.cs>2# pwd
/fsys1/.software/local/wwwapache-1.3_server/config
root@services08.student.cs>2# grep /sslC * /dev/null /dev/null | grep -v ':#'
httpd.conf:  SSLCertificateFile    /software/sslCerts-1/config/certs/odyssey.student.cs.uwaterloo.ca.pem
httpd.conf:  SSLCertificateKeyFile /software/sslCerts-1/config/certs/private/httpsd-key.pem
httpd.conf:SSLCACertificateFile /software/sslCerts-1/config/certs/cacert.pem
root@services08.student.cs>2# 

Which reveals a lie in our presentation. The www.student.cs.uwaterloo.ca certificate has actually been superseded by the odyssey.student.cs.uwaterloo.ca certificate. (Note that correspondence between names of files and the certificates they contain is not mandatory, but is advisable).

It is beyond the scope of these pages to tell you how to set up such Apache configuration; what is here is just hints to help you analyze any particular configuration for which you may have been entrusted with the update of a certificate.

Anecdotal warning: although Apache will find the OrganizationSSL certificate from the cacert.pem file, as it is configured to do in the example, that OrganizationSSL certificate can in fact be placed in the SSLCertificateFile. In such a case the SSLCACertificateFile may in fact not be defined. At least once it happened that such a pair of certificates was replaced during renewal by the host certificate only. With no SSLCACertificateFile defined, the web server could not return the OrganizationSSL certificate. However, that was initially undetected because clients (web browsers) typically will be able to use the certificate they obtained from another uwaterloo.ca web site. That is, the problem thus created is only evident if the thusly broken site is the first uwaterloo.ca site a browser visits.

Further experimentation suggests that the previous was true only for Apache 1.3, if at all. Apache 2 appears to require the variable SSLCertificateChainFile to be specified if you wish to include a chain of several certificates.

-- AdrianPepper - 21 Nov 2011


IncludeAdrianReferers

Referers

This topic IncludeCertWebFormat is referred to by...
Topic revision: r5 - 2011-11-21 - AdrianPepper
 
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2019 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback