Issue about cer and der of x509 certification


I need to communicate with my trading partner with EDIINT AS1.My trading partner use Cyclone Interchange 4.2,and I use wM TN 6.1.The issue is Cyclone need certification for partners in .cer format,and TN need .der format.

Using wM CertificateToolkit we can transform .cer file to .der file,but I don’t konw how to transform .der file to .cer file needed by Cyclone.

Somebody said,openssl can transform x509 file including .der and .cer format,but I found it can transform .pem and .der file to each other,but it can not outform .cer file.

Thanks for any information.

.cer is another extension for binary-encoded x509’s. Just change .der to .cer and you’re done.


Thanks.I just did it like you said,but Cyclone could not import the .cer file,the exception message is “Certificate could not be parsed from file c:\abc.cer.”


Well, then there’s one other option that I know of. You can convert the cert into a base-64 encoded x509–also legit with a .cer extension. There are two ways to do this from a binary x509:

  1. Import the cert into Internet Explorer, then export it as a base-64 encoded x509

  2. Use openSSL to convert to a PEM file, then change the extension to .cer (it’s the same, again).

Hope this helps. If not, I don’t have any other ideas.


Somebody else had told me to do so also,these two ways I had tried,but no good result.

When I imported .der or .pem file,the IE give a exception message,“This file type is not recognizable.Select another one.”

When I used openssl command " x509 -inform DER -in Foxconn.der -outform PEM -out foxconn.pem" to transform .der to .pem,error meesage is “unable to load certificate
2444:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:.\crypto\as
2444:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:.\
2444:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_D2I:nested asn1 error:.
\crypto\asn1\tasn_dec.c:566:Field=cert_info, Type=X509
error in x509”.

I don’t know whether you use webMethods CertificateToolkit.It can generate private key in a .der file,and then generate a .pem file to send to CA to get a Signed Certificate.I am confused about this.And Cyclone is different,it just generate a .cer file,including public key.I
don’t know where private key is in this .cer file.



Is the file text or binary when you look at it with a text editor?

If it’s binary, then it is likely in DER format. There is no guarantee that a der-encoded file contains a certificate, it’s just a data format. Based on your previous post, it doesn’t look like a binary format certificate.

If it’s text, then maybe you could post the first few lines of it in the forum. You could also just post the file to the forum.

Using webMethods CertificateToolkit,the order is,
1),Generate a private key.Here,it is privatekey.der attached.Then,webMethods CertificateToolkit create a CSRe(Certificate Signing Request) file,here is CSR.pem.

2),And then,webMethods CertificateToolkit want to submit CSR to the CA by copying and pasting the entire contents of the CSR file to CA’s website.Here,the CAs are VeriSign and Entrust.

3),Then,webMethods CertificateToolkit import the CA’s response file to generate a cert file.Becase I have not a CA,I don’t know what will be generated.I guess it is a trusted root file.

In fact,when I want to sign a message,in webMethods TN,a cert file and a file including a private key should be imported.

The DER file
privateKey.der (0.6 k)

The PEM file
CSR.pem (0.5 k)


By posting the entire privateKey to wmusers, you have effectively compromised that certificate. In public/private key encryption, the private key should remain just that–private, and by posting it, you make it possible for other people to intercept messages routed to you and decrypt them. Tim asked only for the first few lines of the text-format to verify that you were using a valid cert. Were you attempting to import the privateKey into Cyclone, etc.? At this point, you really should probably start over, generate a new private key, a new CSR, and have a new public certificate created by Verisign/Entrust. BTW, if you have an ACTUAL public cert that you got back from a Cert Authority, you can usually open that cert in Windows, examine the certificate chain, and extract the cert authority’s CA Cert. If you can’t use Verisign or Entrust to create a public cert, you can use a tool called OpenSSL to generate it, but that’s out of scope here.

Thanks!Now I know I must have a CA.

I am doing the setting Partner’s public key and CA’s certificate on the tab of security in the profile of TN.
During the job, I got the following Error message on the verify tab when I save the CA’s certificate in CA Chain setting.
Partner’s Certificate Authority is Trustcenter and Enterprise’s is VerySign.

The error message such as “Can not set security data for VerifyCertificateSet: certificate not trusted by Integration Server. Please obtain a Certificate from one of the following Certificate Authorities:” is unexpected for me, because I think that all CAs are
available for webMethods TN.

How I have to do. Should I have to request my partner to get another certifcate which is available in my Integration Server?

<errorid> TRNSERV.000025.000190 </errorid>
<errorlevel> ERROR </errorlevel>
<serverversion> </serverversion>
<servername> </servername>
<serverhostname> </serverhostname>
<clientversion> </clientversion>
<clienthostname> </clienthostname>
<username> </username>
<classname> TNService </classname>
<methodname> invokeService </methodname>
<errortime> Tue May 17 16:01:36 KST 2005 </errortime>
<errortext> Can not set security data for VerifyCertificateSet: certificate not trusted by Integration Server. Please obtain a Certificate from one of the following Certificate Authorities: serialNumber=1918003146,,cn=Franck PALLE,t=Responsable exploitation informatique,ou=DSI,ou=Certificat SociePoste,o=PREMIUM LOGISTICS SERVICES-340333590,c=FR, cn=,,ou=EDV-Abteilung,o=Karl Bermes GmbH und Co KG,l=Willich,st=Germany,c=DE, cn=CertiNomis,ou=AC Racine - Root CA,o=CertiNomis,c=FR,,ou=Geodis Solutions,o=Geodis,l=Clichy,st=Ile-de-France,c=FR,,ou=Member, VeriSign Trust Network,ou=Authenticated by KECA, Inc.,ou=Terms of use at © 04,ou=EIC,o=LG Electronics Services Europe B.V.,l=Almere,c=NL,,cn=Frans Maas CICT,ou=CICT,o=Frans Maas,l=Venlo,st=Limburg,c=NL, ou=Secure Server Certification Authority,o=RSA Data Security, Inc.,c=US, cn=CertiNomis Classe 3,ou=AC Intermediaire - Subsidiary CA,o=CertiNomis,c=FR,,cn=Influe CA 2,ou=INFLUE EDI,o=INFLUE S.I.,l=Suresnes,st=FRANCE,c=FR, Ref. LIABILITY LTD.©97 VeriSign,ou=VeriSign International Server CA - Class 3,ou=VeriSign, Inc.,o=VeriSign Trust Network,,ou=Member, VeriSign Trust Network,ou=Authenticated by VeriSign,ou=Terms of use at © 03,ou=Reims,o=NYK LOGISTICS (UK) CONSUMER AND RETAIL LIMITED,l=Northampton,st=Northamptonshire,c=GB, ou=For VeriSign authorized testing only. No assurances ©VS1997, Incorp. By Ref. Liab. LTD.,o=VeriSign, Inc,,street=2324 GATEWAY DR.,t=BTRADE SECURITY ADMINISTRATOR,cn=SECOFR,ou=BTRADE,o=BTRADE SECOFR,l=IRVING,st=TX,c=US,,ou=CICT,o=Koninklijke Frans Maas Groep N.V.,l=Venlo,st=Limburg,c=NL, ou=Class 3 Public Primary Certification Authority,o=VeriSign, Inc.,c=US