I need to setup an Apache 2 server with SSL.
I have my *.key file, but all the documentation I've found online, *.crt files are specified, and my CA only provided me with a *.cer file.
Are *.cer files the same as *.crt? If not, how can I convert CER to CRT format?
Just do
openssl x509 -req -days 365 -in server.cer -signkey server.key -out server.crt
Here is one case that worked for me if we need to convert .cer to .crt, though both of them are contextually same
openssl pkcs12 -in identity.p12 -nokeys -out mycertificate.crt
where we should have a valid private key (identity.p12) PKCS 12 format, this one i generated from keystore (.jks file) provided by CA (Certification Authority) who created my certificate.
Basically there are two CER certificate encoding types, DER and Base64. When type DER returns an error loading certificate (asn1 encoding routines), try the PEM and it shall work.
openssl x509 -inform DER -in certificate.cer -out certificate.crt
openssl x509 -inform PEM -in certificate.cer -out certificate.crt
If your cer file has binary format you must convert it by
openssl x509 -inform DER -in YOUR_CERTIFICATE.cer -out YOUR_CERTIFICATE.crt
According to documentation mod_ssl:
SSLCertificateFile:
Name: SSLCertificateFile
Description: Server PEM-encoded X.509 certificate file
Certificate file should be PEM-encoded X.509 Certificate file:
openssl x509 -inform DER -in certificate.cer -out certificate.pem
The .cer and .crt file should be interchangable as far as importing them into a keystore.
Take a look at the contents of the .cer file. Erase anything before the -----BEGIN CERTIFICATE-----
line and after the -----END CERTIFICATE-----
line. You'll be left with the BEGIN/END lines with a bunch of Base64-encoded stuff between them.
-----BEGIN CERTIFICATE-----
MIIDQTCCAqqgAwIBAgIJALQea21f1bVjMA0GCSqGSIb3DQEBBQUAMIG1MQswCQYD
...
pfDACIDHTrwCk5OefMwArfEkSBo/
-----END CERTIFICATE-----
Then just import it into your keyfile using keytool.
keytool -import -alias myalias -keystore my.keystore -trustcacerts -file mycert.cer
CER is an X.509 certificate in binary form, DER encoded.
CRT is a binary X.509 certificate, encapsulated in text (base-64) encoding.
It is not the same encoding.
I assume that you have a .cer file containing PKCS#7-encoded certificate data and you want to convert it to PEM-encoded certificate data (typically a .crt or .pem file). For instance, a .cer file containing PKCS#7-encoded data looks like this:
-----BEGIN PKCS7----- MIIW4gYJKoZIhvcNAQcCoIIW0zCCFs8CAQExADALBgkqhkiG9w0BBwGggha1MIIH ... POI9n9cd2cNgQ4xYDiKWL2KjLB+6rQXvqzJ4h6BUcxm1XAX5Uj5tLUUL9wqT6u0G +bKhADEA -----END PKCS7-----
PEM certificate data looks like this:
-----BEGIN CERTIFICATE----- MIIHNjCCBh6gAwIBAgIQAlBxtqKazsxUSR9QdWWxaDANBgkqhkiG9w0BAQUFADBm ... nv72c/OV4nlyrvBLPoaS5JFUJvFUG8RfAEY= -----END CERTIFICATE-----
There is an OpenSSL command that will convert .cer files (with PKCS#7 data) to the PEM data you may be expecting to encounter (the BEGIN CERTIFICATE
block in the example above). You can coerce PKCS#7 data into PEM format by this command on a file we'll call certfile.cer:
openssl pkcs7 -text -in certfile.cer -print_certs -outform PEM -out certfile.pem
Note that a .cer or .pem file might contain one or more certificates (possibly the entire certificate chain).
I use command:
openssl x509 -inform PEM -in certificate.cer -out certificate.crt
But CER is an X.509 certificate in binary form, DER encoded. CRT is a binary X.509 certificate, encapsulated in text (base-64) encoding.
Because of that, you maybe should use:
openssl x509 -inform DER -in certificate.cer -out certificate.crt
And then to import your certificate:
Copy your CA to dir:
/usr/local/share/ca-certificates/
Use command:
sudo cp foo.crt /usr/local/share/ca-certificates/foo.crt
Update the CA store:
sudo update-ca-certificates
The answer to the question how to convert a .cer file into a .crt file (they are encoded differently!) is:
openssl pkcs7 -print_certs -in certificate.cer -out certificate.crt
Source: Stackoverflow.com