can repository reliably convert between PEM and DER?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

can repository reliably convert between PEM and DER?

Bear Giles
[I'm not sure if this goes into -users or -dev since the implementation
uses the openssl library, not the command-line tools.]

Can a certificate repository freely convert between PEM and DER formats?
I thought they were simple transcriptions, but I'm not sure since I'm
having problems with a trusted cert PEM -> DER -> PEM translation.  Maybe
I'm just missing a function that tells me whether the X509 object is
trusted and should use the trusted output function?

There are two reasons for the question.  The first is simple consistency
-- the software can be a lot simpler and more reliable if it knows that
everything is stored in a single format.

The second is efficiency -- a DER certificate takes up less physical space
and that can have an effect on paging performance.  (Obviously the sheer
number of certs won't be a problem for anyone other than major CAs.)  On
the other hand the cost of translating from DER to PEM for 99% of all
requests may offset any gains from fitting an extra cert or two into each
page.

(FWIW this question relates to a user-defined type in a relational
database, not individual files or a Berkeley DB file.)

Bear

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: can repository reliably convert between PEM and DER?

Richard Salz
> Can a certificate repository freely convert between PEM and DER formats?


Yes, they are simple transcriptions, so something else is going on.

        /r$

--
SOA Appliances
Application Integration Middleware

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: can repository reliably convert between PEM and DER?

Bear Giles
>> Can a certificate repository freely convert between PEM and DER formats?
>
> Yes, they are simple transcriptions, so something else is going on.

IIRC the 'trusted' tag on some certs were getting lost when converted back
to PEM.  But it's been awhile and could easily have been a problem between
seat and keyboard.

Bear

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]