Search code examples
c#c++libcrypto

SSL Certificate Format

I'm starting some C++ programming to read certificates with libcrypto (OpenSSL) and I'm curious about the format of a certificate ("crt" or "cert") file.

In the file, when I look at it with a text editor, there are multiple certificate sections like so:

-----BEGIN CERTIFICATE-----
XXXXXXXXXXXX
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
YYYYYYYYYYYY
-----END CERTIFICATE-----

When I look at this certificate in Windows (simply by double clicking the ".crt" file, it shows only a single entry in the certificate path. Is there some defined order to what these certificate sections are?

And on a side note, when I use C# to read the certificate like such:

X509Certificate2 cert = new X509Certificate2(@"E:\somePath\device.crt");
var bytes = cert.GetRawCertData();
string temp = Convert.ToBase64String(bytes);

The variable temp only show contains the data from the first begin/end section in the file. That is, temp contains "XXXXXXXXXXXX"

Also the certificate is a client certificate.

So I'm curious: What are the two "certificates" in the one file?

Thanks!

Solution

  • In normal cases, a .crt file contains just one certificate. However, in some contexts, some applications may allow that a file contains multiple certificates.

    For example, some applications may expect that a file contains all or some certificates of a certificate chain. However, in typical cases, such file has .p12 (PKCS#12) or .pfx as its extension.

    certificate chain

    The extension .crt indicates that the content of the file is a certificate, but the extension does not tell anything about the file format. The file format may be PEM (Privacy-Enhanced Mail) (RFC 7468), DER (Distinguished Encoding Rules) (X.690) or something else. If the file's content is text data and contains -----BEGIN ?????----, the file format is PEM. On the other hand, if the file contains binary data, it is highly likely that the file format is DER.

    Diagrams below from "Illustrated X.509 Certificate" illustrate relationship among ASN.1 (X.680), DER (X.690), BASE64 (RFC 4648) and PEM (RFC 7468).

    relationship among ASN.1, DER, BASE64 and PEM

    relationship among ASN.1, DER, BASE64 and PEM (Application to X.509 Certificate

    I guess that the .crt file at your hand represents the entire or a part of a certificate chain.