Convert from P7B to PEM via OpenSSL

Question

On Ubuntu, I cannot convert certificate using openssl successfully.

vagrant@dev:/vagrant/keys$ openssl pkcs7 -print_certs -in a.p7b -out a.cer 
unable to load PKCS7 object <blah blah>:PEM
routines:PEM_read_bio:no start line:pem_lib.c:696:Expecting: PKCS7

Have you seen this error before?

Was the file moved between servers or uploaded via FTP? If it is indeed the correct format, it seems as though it may have become corrupted. Try re-transferring the file to the server in binary mode (if using FTP) or re-copy it from the source. — Garrett, Aug 13 '12 at 20:01
I say it's a p7b based on the file's suffix. I re-downloaded it via Firefox, but I still got the same OpenSSL error... — Kevin Meredith, Aug 13 '12 at 20:30

score 78 · Accepted Answer · answered Aug 14 '12 at 07:49

78

Try this:

$ openssl pkcs7 -inform der -in a.p7b -out a.cer

If it doesn't work, brings to a Windows machine and export follow this guide.

answered Aug 14 '12 at 07:49

quanta

50,327
19
152
213

14

Note the the OP had the parameter `-print_certs` in its command. It impacts the output format: with it you get a PEM format (starting with -----BEGIN CERTIFICATE-----), and without it you get a PKCS#7 format (-----BEGIN PKCS7-----) – Sylvain B Mar 14 '18 at 16:36
This only works if I drop the `-inform der` part. Note also that while exporting a key from Windows Cert Manager, DER and P7B are two distinct options. – jpaugh Oct 17 '19 at 20:03
2

If you can open the p7b with a text editor and see `----- BEGIN PKCS7 -----` then you have a pem formatted p7b. In this case, you dont want to use `-inform der` because that tells openssl to expect a binary file, but this is in text (base64) format. You can read more about the differences between PEM and DER [here](https://tls.mbed.org/kb/cryptography/asn1-key-structures-in-der-and-pem). – Rex Linder Mar 10 '21 at 21:49
This is the accepted answer, but it is *wrong*, as Sylvain B explains. Apparently this changed in newer versions of `openssl`.Shall we edit it? – reinierpost Jun 23 '22 at 08:33

Peet van de Sande · Answer 2 · 2016-03-05T09:40:07.553

37

So to combine the above answers, the command is:
openssl pkcs7 -in cert.p7b -inform DER -print_certs -out cert.pem

Verified to be working on Windows, using OpenSSL-Win64

/Thanks Bogdan for spotting the error

edited Mar 05 '16 at 09:40

answered Feb 03 '16 at 08:39

Peet van de Sande

371
3
3

score 10 · Answer 3 · answered May 28 '14 at 18:56

I followed this guide that instructs you to change the header/footer lines from

-----BEGIN PKCS #7 SIGNED DATA-----
[data]
-----END PKCS #7 SIGNED DATA-----

to

-----BEGIN CERTIFICATE-----
[data]
-----END CERTIFICATE-----

Then run the command openssl pkcs7 -in foo.modified.crt -print_certs -out foo.certs (where foo.modified.crt is the file that you saved the modified version into). This gave me the same results as running through a Windows certificate export as suggested in other answers.

score 7 · Answer 4 · answered Nov 06 '15 at 10:28

7

As far as I know, the following should convert a pkcs7 cert to a pem

openssl pkcs7 -in certificate_file.p7b -print_certs -out cert.pem

answered Nov 06 '15 at 10:28

Giuseppe Urso

187
1
4

1

Why do you mean this answer is related to this thread ? Because as you see. It's same as above. – ms_devel Jun 08 '18 at 09:40
You did not answer why OP is getting an error. – pacoverflow Feb 10 '20 at 22:15

score 4 · Answer 5 · answered Jul 08 '15 at 13:33

4

quick solution in my case (a lot of files with missing header/footer) :

base64 -d $FILE | openssl pkcs7 -inform DER -print_certs

answered Jul 08 '15 at 13:33

Cerber

1,101
1
10
23

2

I had a base64 encoded certificate and I knew nothing more about it and the base64 -d command saved me a lot of trouble. This solution should be more readily available in search results. Thank you! – Mar 21 '17 at 08:49
You just saved a man from suicide – Abdul Saleem Nov 20 '20 at 08:36

brucify · Answer 6 · 2020-12-08T12:24:58.860

# Decode base64 encoded string into DER-encoded binary
base64 --decode signature > signature.cer

# Convert DER-encoded binary to PEM-encoded P7B
openssl pkcs7 -inform der -in signature.cer -out signature.p7b

# Convert PEM-encoded P7B to PEM-encoded CRT
openssl pkcs7 -print_certs -in signature.p7b -out signature.crt

# OR: Convert DER-encoded binary to PEM-encoded CRT
openssl pkcs7 -print_certs -inform der -in signature.cer -out signature.crt

# signature.p7b
-----BEGIN PKCS7-----
[...]
-----END PKCS7-----

# signature.crt
subject=[...]
issuer=[...]
-----BEGIN CERTIFICATE-----
[...]
-----END CERTIFICATE-----

# Read contents in PEM-encoded CRT
keytool -printcert -file signature.crt

score 2 · Answer 7 · answered Jan 25 '13 at 20:36

2

I had this problem too. I was going to verify a p7b file I copied from a Win7 host.

I found out that gnome keyring can import the certificate. From there it's easy to export to DER

answered Jan 25 '13 at 20:36

Joakim

21
2

score 0 · Answer 8 · answered Jul 14 '21 at 20:35

0

openssl pkcs7 -print_certs -in intermediates.p7b -out intermediates.cer

My source file was in text with -----BEGIN PKCS7----- as the header... This method worked for me while others did not.

answered Jul 14 '21 at 20:35

Mark

1

Is this an Answer or a Comment? – djdomi Jul 15 '21 at 04:50
Does this belong here at all? This is exactly what the OP said did not work. Saying it worked for you is not very helpful. – Michael Hampton Jul 15 '21 at 14:43

score 0 · Answer 9 · edited Jun 18 '22 at 17:58

0

If you get the following error:

unable to load PKCS7 object
140368561349952:error:0909006C:PEM routines:get_name:no start line:../crypto/pem/pem_lib.c:745:Expecting: PKCS7

make sure the content of the p7b in below format (-----BEGIN PKCS7----- and -----END PKCS7----- in separate lines).

Before:

-----BEGIN PKCS7-----CONTENT-----END PKCS7-----

After:

-----BEGIN PKCS7-----
CONTENT
-----END PKCS7-----

Converting from P7B to PFX format.

openssl pkcs7 -print_certs -in domain.p7b -out domain.cer

openssl pkcs12 -export -out domain.pfx -in domain.cer -inkey domain.key -passout pass:REAL_PASSWORD

edited Jun 18 '22 at 17:58

mforsetti

2,488
2
14
20

answered Jun 05 '22 at 13:13

Shaik Apsar

1
1

If you have a new question, please ask it by clicking the [Ask Question](https://serverfault.com/questions/ask) button. Include a link to this question if it helps provide context. - [From Review](/review/late-answers/522180) – djdomi Jun 10 '22 at 18:31

Convert from P7B to PEM via OpenSSL

9 Answers9

Converting from P7B to PFX format.