1 (edited by bluscape 2023-06-21 08:35:25)

Topic: How to convert certificates (crt and key) to an array for cert.h

I have crt and key files that I would like to place in an array in cert.h such that the can be loaded into a buffer.
I guess I can write some software to do this, but:

1.) Is there a method (OpenSSL) or a tool that can already do this (Im on a windows machine)?
2.) If so, how do I do it?

I'm using two way SLL authentication and have the following certificates and keys: ca.crt, client.crt and client. Key

3.) How do I load and use all 3 files for two way authentication?

Share

Re: How to convert certificates (crt and key) to an array for cert.h

Hello bluscape,

my name is Anthony and I am a member of the wolfSSL team. Please have a look at https://github.com/wolfSSL/wolfssl/blob … /dertoc.pl which comes with wolfSSL. its a great utility script for converting der files into arrays which can then be embedded into your source code.

Once you have them embedded into your application you can use the following APIs to pass them to wolfSSL:

wolfSSL_CTX_load_verify_buffer
wolfSSL_use_certificate_chain_buffer
wolfSSL_CTX_use_certificate_chain_buffer
wolfSSL_use_PrivateKey_buffer
wolfSSL_CTX_use_PrivateKey_buffer

Warm regards, Anthony

Share

3 (edited by bluscape 2023-06-21 12:46:16)

Re: How to convert certificates (crt and key) to an array for cert.h

Thanks for the reply. Like I mentioned, my files are still in crt and key format.

It seems like I first need to convert my crt and key files to pem files.
And then convert the pem files to der files.

I've converted my crt and key files to pem files using:

openssl x509 -in cert.crt -out cert.pem

But when comparing my files to your example pem files, your pem files have some additional information which mine does not have.

My pem files only contains the certificate whereas yours has a large header with other info:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            0e:75:3b:39:ad:1f:53:d1:85:3b:05:3b:11:62:4f:dc:7b:11:72:11
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, ST = Montana, L = Bozeman, O = Sawtooth, OU = Consulting_1024, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
        Validity
            Not Before: Dec 16 21:17:49 2022 GMT
            Not After : Sep 11 21:17:49 2025 GMT
        Subject: C = US, ST = Montana, L = Bozeman, O = Sawtooth, OU = Consulting_1024, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (1024 bit)
                Modulus:
                    00:cd:ac:dd:47:ec:be:b7:24:c3:63:1b:54:98:79:
                    e1:c7:31:16:59:d6:9d:77:9d:8d:e2:8b:ed:04:17:
                    b2:c6:eb:e4:9b:91:be:31:50:62:97:58:b5:7f:29:
                    de:b3:71:24:0b:bf:97:09:7f:26:dc:2d:ec:a8:2e:
                    b2:64:2b:7a:2b:35:19:2d:a2:80:cb:99:fd:94:71:
                    1b:23:8d:54:db:2e:62:8d:81:08:2d:f4:24:72:27:
                    6c:f9:c9:8e:db:4c:75:ba:9b:01:f8:3f:18:f4:e6:
                    7f:fb:57:94:92:cc:88:c4:b4:00:c2:aa:d4:e5:88:
                    18:b3:11:2f:73:c0:d6:29:09
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                D3:22:8F:28:2C:E0:05:EE:D3:ED:C3:71:3D:C9:B2:36:3A:1D:BF:A8
            X509v3 Authority Key Identifier: 
                keyid:D3:22:8F:28:2C:E0:05:EE:D3:ED:C3:71:3D:C9:B2:36:3A:1D:BF:A8
                DirName:/C=US/ST=Montana/L=Bozeman/O=Sawtooth/OU=Consulting_1024/CN=www.wolfssl.com/emailAddress=info@wolfssl.com
                serial:0E:75:3B:39:AD:1F:53:D1:85:3B:05:3B:11:62:4F:DC:7B:11:72:11

            X509v3 Basic Constraints: 
                CA:TRUE
            X509v3 Subject Alternative Name: 
                DNS:example.com, IP Address:127.0.0.1
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
    Signature Algorithm: sha256WithRSAEncryption
         b8:80:bf:b2:f5:83:95:51:81:6a:7e:41:87:29:d7:c3:c9:c6:
         9b:60:e4:65:a1:04:97:1d:1b:3b:e9:27:fa:43:d6:89:6a:3c:
         9e:bf:28:d1:75:37:21:f3:0d:64:17:b2:a3:2d:83:52:ff:57:
         f0:42:a9:48:aa:d8:84:ea:0d:80:05:71:0a:aa:23:b4:6c:c6:
         d6:7f:13:4a:f4:82:b9:e2:81:ae:46:8c:59:fb:c3:8c:6d:5b:
         f3:32:ec:86:f0:6e:da:2a:78:ab:f2:36:fb:48:fa:74:09:0e:
         19:c2:bf:eb:cc:fb:a9:05:c1:c9:e1:ab:8b:79:f6:f1:ad:4a:
         9f:aa

How do I get this additional info into my pem files?
Or is this additional info not necesarry?

Share

Re: How to convert certificates (crt and key) to an array for cert.h

Ok. So I removed the header section from you example pem file and converted it to a der file and it produced the same result as when it had the header. So it seems like the header is not used.

I've converted your example certificate file and got the same results using:

openssl x509 -inform pem -in Certificate.pem -outform der -out Certificate.der

But when I convert your example key file I do not get the same results. I'm using:

openssl rsa -inform pem -in PrivateKey.pem -outform der -out PrivateKey.der

Are there any other parameters that I'm missing to produce the same result for the key file?

Here are the results for converting your example key.pem file:

The pem.key file:

-----BEGIN RSA PRIVATE KEY-----
MIICXgIBAAKBgQDNrN1H7L63JMNjG1SYeeHHMRZZ1p13nY3ii+0EF7LG6+Sbkb4x
UGKXWLV/Kd6zcSQLv5cJfybcLeyoLrJkK3orNRktooDLmf2UcRsjjVTbLmKNgQgt
9CRyJ2z5yY7bTHW6mwH4Pxj05n/7V5SSzIjEtADCqtTliBizES9zwNYpCQIDAQAB
AoGAUjU9ASmklSlxm2RqLMPStb5uE5yPtibYdmu9YbxjLdVNu8zGO4nIznubl+dR
Z2HaqYN7yET1cF4+0H5RuW4TVwhc4WdPYV6lCewR3eS4tPTgYzRM2jIgH4VBXbzb
JMWvvgJfIvF8zAVWpqY3muv/Ui2/MEuaHe6rnCziwbidyTECQQDpiRbNrC7yTWYX
vXgSEo2OhCTeLVBBhYw0Cfr7bYdRTBMo8GARhj3CpM9exW9bETIKtSjQgkdEJpLi
eFm0CLP9AkEA4XW0arWMEfvMQgLF2kjOKUMUAZoss6TLc+uhNVettRYXgANfMje+
om/5MYS/AG6NAw4wHNAvN/B+wmS/7kvo/QJBAOGZiyvYn+l2l59rayiaP6FjSnJO
9+6z4kMLOSfWIRiKEyBDRaroMZVsvN7if7ZLoDnz05/JmqrdUJvyg0WF+skCQQCv
sMd8+ChEw1Dyh7KiXWW6JblrXjdDbkHU/WNMbBzDJon9iaMfQO1fK56mhelJbtyX
6vB3I4wILXK6DUS7b5AJAkEAkeQuyowKaS9i4mI7pY1aLFY+f2dCkhKSX/OX3eGp
f60uLfRKV7N6EL3X5OxqCCHp8kZJ0mlHiiBL8rFSg6tvEA==
-----END RSA PRIVATE KEY-----

My conversion result (key.der):

0‚x 0
    *†H†÷
 ‚b0‚^  ͬÝGì¾·$ÃcT˜yáÇ1Y֝wâ‹í²Æë䛑¾1Pb—Xµ)Þ³q$¿—    &Ü-ì¨.²d+z+5-¢€Ë™ý”q#TÛ.b-ô$r'lùÉŽÛLuº›ø?ôæûW”’̈Ĵ ªÔ刳/sÀÖ)     €R5=)¤•)q›dj,ÃÒµ¾nœ¶&Øvk½a¼c-ÕM»ÌÆ;‰ÈÎ{›—çQgaÚ©ƒ{ÈDõp^>Ð~Q¹nW\ágOa^¥    ìÝ临ôàc4LÚ2 …A]¼Û$ů¾_"ñ|ÌV¦¦7šëÿR-¿0Kšî«œ,âÁ¸É1A é‰ͬ.òMf½xŽ„$Þ-PA…Œ4    úûm‡QL(ð`†=¤Ï^Åo[2
µ(ЂGD&’âxY´³ýA áu´jµŒûÌBÅÚHÎ)Cš,³¤Ësë¡5Wµ€_27¾¢où1„¿ n0Ð/7ð~Âd¿îKèýA ᙋ+ØŸév—Ÿkk(š?¡cJrN÷î³âC9'Ö!Š CEªè1•l¼Þâ¶K 9óÓŸÉšªÝP›òƒE…úÉA ¯°Ç|ø(DÃPò‡²¢]eº%¹k^7CnAÔýcLlÃ&‰ý‰£@í_+ž¦…éInÜ—êðw#Œ-rº
D»o    A ‘ä.ÊŒ
i/bâb;¥Z,V>gB’’_ó—Ýá©.-ôJW³z½×äìj!éòFIÒiGŠ Kò±Rƒ«o

Your example key.der:

0‚^  ͬÝGì¾·$ÃcT˜yáÇ1Y֝wâ‹í²Æë䛑¾1Pb—Xµ)Þ³q$¿—    &Ü-ì¨.²d+z+5-¢€Ë™ý”q#TÛ.b-ô$r'lùÉŽÛLuº›ø?ôæûW”’̈Ĵ ªÔ刳/sÀÖ)     €R5=)¤•)q›dj,ÃÒµ¾nœ¶&Øvk½a¼c-ÕM»ÌÆ;‰ÈÎ{›—çQgaÚ©ƒ{ÈDõp^>Ð~Q¹nW\ágOa^¥    ìÝ临ôàc4LÚ2 …A]¼Û$ů¾_"ñ|ÌV¦¦7šëÿR-¿0Kšî«œ,âÁ¸É1A é‰ͬ.òMf½xŽ„$Þ-PA…Œ4    úûm‡QL(ð`†=¤Ï^Åo[2
µ(ЂGD&’âxY´³ýA áu´jµŒûÌBÅÚHÎ)Cš,³¤Ësë¡5Wµ€_27¾¢où1„¿ n0Ð/7ð~Âd¿îKèýA ᙋ+ØŸév—Ÿkk(š?¡cJrN÷î³âC9'Ö!Š CEªè1•l¼Þâ¶K 9óÓŸÉšªÝP›òƒE…úÉA ¯°Ç|ø(DÃPò‡²¢]eº%¹k^7CnAÔýcLlÃ&‰ý‰£@í_+ž¦…éInÜ—êðw#Œ-rº
D»o    A ‘ä.ÊŒ
i/bâb;¥Z,V>gB’’_ó—Ýá©.-ôJW³z½×äìj!éòFIÒiGŠ Kò±Rƒ«o

Share

Re: How to convert certificates (crt and key) to an array for cert.h

Ok. I managed to resolve the key conversion as well. Instead of using:

openssl rsa -inform pem -in PrivateKey.pem -outform der -out PrivateKey.der

I'm now using:

openssl pkey -inform pem -in PrivateKey.pem -outform der -out PrivateKey.der

This produces the same results as your example key.der files

Now to convert it to an array and test!

Share

Re: How to convert certificates (crt and key) to an array for cert.h

Hi Bluscape.

Just so you know, we accept certificates in both PEM and DER formats.

Here at wolfSSL we love to know what people are doing with our code.  Can you let me understand a bit about yourself, your project and your goals?  Are you doing this as a member of an academic or commercial organization or is it out of personal interest?

Warm regards, Anthony

Share