4

I've got a certificate from sslforFree.com that it contains 3 files:

1-ca_bundle.crt

2-certificate.crt

3-private.key

I could config my Spring-Boot application with a self-signed certificate that was created by Java key tools, now my question is that how can I use these three files??

I expected that there should be just one file that I can put it into my Keystore, but now there are 3 files and I don't know how to use them.

On the other hand, I have android applications as a client. It needs to have a .pem file as a certificate that contains a public-key as below format(I mean just the value of the tags):

<pin-set>
<pin digest="SHA-256">k3XnEYQCK79AtL9GYnT/nyhsabas03V+bhRQYHQbpXU=</pin>
</pin-set>

Now how can I generate .pem file contains a public-key with this format?

I have searched and also found some commands to concatenate .crt and .key files and the result is .pem but it contains some Base64 text that includes these at the start and the end of the file:

-----BEGIN CERTIFICATE-----

xxxxx

-----END CERTIFICATE-----

-----BEGIN RSA PRIVATE KEY-----

xxxxx

-----END RSA PRIVATE KEY-----

How can I create a public-key for clients?

And do I need to put that .pem file into my Keystore??

Any help would be appreciated!!

Sobhan
  • 1,280
  • 1
  • 18
  • 31

2 Answers2

1

You can use a tool like KeyStore explorer that could help you convert the keystore and certificate formats. Or you can use the openssl command line tool. If the files you got from the CA are binary (not text), they are probably in the DER encoding, but they can be easily converted to PEM (text) encoding if needed. For the Java server, you need a keystore that will contain the certificate.crt including the private key from private.key. And you should also have a truststore where you import the ca_bundle.crt. The default format for a Java keystore is nowadays PKCS#12.

majster
  • 104
  • 4
1

You should do the same as you were doing with selfsigned cert.

Import your three files into a keystore using keytool. certificate.crt is a file that holds your public key with certification data, ca_bundle.crt is a file that holds public keys of certification authorities which certified your key - this is called a certificate chain, private.key is a file holding the private key of a key pair (public key is a part of certificate) which is used in order to encrypt data on certain phase of SSL connection.

Server part

On server side you need to create a keystore that would incorporate your private key, your certificate (with public key) and certificate chain. Here you can find the command that fits your case.

Client part

At your client you can pin any certificate/key in root-to-leaf chain. The closer your pinned key to leaf the more secure solution you will get. The downside is that the leaf certificates normally have short lifetime so that when you renew server certificate you will have to upgrade the client pin as well.

Good instruction on how to generate sha256 digest can be found in this SO answer.

Alexey R.
  • 8,057
  • 2
  • 11
  • 27
  • first of all thanks for your answer it helped me to find a way, but there is yet a question mark in my mind that how can I generate "SHA-256" public-key for clients as a .pem file? – Sobhan Aug 25 '20 at 06:01
  • 1
    This should help you https://stackoverflow.com/questions/36163093/how-do-we-generate-a-base64-encoded-sha256-hash-of-subjectpublickeyinfo-of-an-x#answer-36186060 – Alexey R. Aug 25 '20 at 10:21
  • thanks for your answers dude, you resolved my issue completely, if you had time i will be happy to edit your answer to more complete version, anyway thank you – Sobhan Aug 26 '20 at 05:00
  • Updated. Added couple of words regarding certificate pinning. – Alexey R. Aug 26 '20 at 11:55