openssl certificate chain lost when converting from pem to der
7,676
You cannot have DER encoded chains by concatenating them the way you can with PEM format.
A chain in a binary format would be in PKCS#7 format. To convert a PEM chain to PKCS#7, use:
openssl crl2pkcs7 -nocrl -certfile fullchain.pem -out fullchain.p7b
Then, to see the contents:
openssl pkcs7 -in fullchain.p7b -print_certs -noout
Add -text
to see all the certificate details.
If the input PEM file also contained a private key a better format would be PKCS#12 as this format can be secured with a passphrase.
Related videos on Youtube
Author by
ArticIceJuice
Updated on September 18, 2022Comments
-
ArticIceJuice over 1 year
I have a cetificate chain in .pem format from Letsencrypt, called fullchain.pem
It has 2 certificates in the chain:
keytool -printcert -v -file fullchain.pem |grep "Certificate fingerprints" |wc -l 2
When I convert it to .der using
openssl x509 -in fullchain.pem -out cert.der -outform DER
it only exports the last one
keytool -printcert -v -file cert.der |grep "Certificate fingerprints" |wc -l 1
is this a bug in openssl? Am I missing a param?
-
dave_thompson_085 over 6 years
openssl x509
processes only the first cert in the input file and ignores any additional ones. You need to split 'fullchain' up and process each cert separately. See serverfault.com/questions/391396/how-to-split-a-pem-file and serverfault.com/questions/590870/… -
ArticIceJuice over 6 yearsThanks, it clarified the issue. I wonder why openssl doesn't emit any warnings about this.
-
-
ArticIceJuice over 6 yearsGreat! This also solves it.
-
ArticIceJuice over 6 yearsBtw, they say it is actually possible to concatenate .der certificates to import them later, see this Java snippet gist.github.com/spicydog/84fa0e74d8524fba1fbb
-
garethTheRed over 6 years@ArticIceJuice - I think you may well be correct :-) generateCertificates accepts a stream of DER encoded certs. As I can't find a standard that defines certificate chains, this may well be implementation specific.