I’m not to hot on the ssl side of things. I’m trying to create a pem file to allow my api to communicate securely with an online payment processing site (Datacash)
They have instructed me to download the root certificates from verisign. Then concatenating the .509 files into a pem with the following example command:
openssl x509 -inform DER -outform PEM -in cert.509 >> certs.pem
The thing is, the pack of root certs contain .cer, .pem and some .txt files, but no .509. I’m not sure how to modify the openssl command to do the necessary .pem.
I’ve tried
openssl x509 -inform DER -outform PEM -in cert.cer >> all-certs.pem
But I get a bunch of errors:
unable to load certificate
5812:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1306:
5812:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:380:Type=X509
unable to load certificate
5813:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1306:
5813:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:380:Type=X509
unable to load certificate
… and many more
I hope someone can help. I’m going nuts here!(:
Apologies if you already know all this, but openssl is a command line utility provided by the openssl cryptography toolkit. Here is its man page.
The x509 parameter is (of course) a command that you feed to the openssl command line utility. Here is its man page.
You say:
So Datacash’s instructions to you don’t appear to be appropriate for your circumstances. You just don’t have an x509 certificate to convert to a .pem file. Try these tricks:
- Maybe you don’t need to convert anything. You already have a .pem file in your certificate package, so just extract it and use it for the Datacash API.
- If that doesn’t work, convert the .cer file you have in the certificate package, like this:
openssl cms -inform DER -outform PEM -in cert.cer -out all-certs.pem
The cms parameter is (you guessed it) another command that you feed to the openssl command line utility. Here is its man page.
Here I am presuming that:
- Your certificate package includes a .cer certificate named cert.cer and you have extracted it to your openssl working directory.
- The cert.cer certificate is encoded in the common DER format, under the common CMS standard.
Apologies if you already know all this, but openssl is a command line utility provided by the openssl cryptography toolkit. Here is its man page.
The x509 parameter is (of course) a command that you feed to the openssl command line utility. Here is its man page.
You say:
So Datacash’s instructions to you don’t appear to be appropriate for your circumstances. They were expecting you to get an x509 certificate from your certificate authority, but you didn’t get one. You got a .cer and a .pem and probably a text version of the certificate string in the text file (in some circumstances you could cut and paste this to a web page that accepted your certificate), but you didn’t get an x509 certificate. This is not so surprising; I would guess that the set of certificate files you’ve received conform to the common certificate format (DER) under the most common cryptography standard (CMS).
Try these tricks:
- You probably don’t need to convert anything. You already have a .pem file in your certificate package, so just extract it and use it for the Datacash API.
- If that doesn’t work, convert the .cer file you have in the certificate package, like this:
openssl cms -inform DER -outform PEM -in cert.cer >> certs.pem
… where cert.cer is the name of the .cer certificate file you’ve extracted from your package, and the .pem encoded conversion will be appended to certs.pem.
The cms parameter is (you guessed it) another command that you feed to the openssl command line utility.
Note that a .pem file will usually contain both a site root certificate and its CA (certificate authority) certificate. So presumably certs.pem should already exist and should already contain the CA certificate. If not, openssl commands can concatenate multiple certificates when required.
One more tip: usually when I’m trying to figure out what certificates are in a package, I just double-click on the contained certificate files, and Windows runs default tools to show me their contents and usage.