4

I have a cetificate chain in .pem format from Letsencrypt, called fullchain.pem

It has 2 certificates in the chain:

keytool -printcert -v -file fullchain.pem |grep "Certificate fingerprints" |wc -l
2

When I convert it to .der using

openssl x509 -in fullchain.pem -out cert.der -outform DER

it only exports the last one

keytool -printcert -v -file cert.der |grep "Certificate fingerprints" |wc -l
1

is this a bug in openssl? Am I missing a param?

ArticIceJuice
  • 51
  • 1
  • 3
  • 1
    `openssl x509` processes only the first cert in the input file and ignores any additional ones. You need to split 'fullchain' up and process each cert separately. See https://serverfault.com/questions/391396/how-to-split-a-pem-file and https://serverfault.com/questions/590870/how-to-view-all-ssl-certificates-in-a-bundle – dave_thompson_085 Aug 31 '17 at 19:33
  • Thanks, it clarified the issue. I wonder why openssl doesn't emit any warnings about this. – ArticIceJuice Sep 01 '17 at 05:13

1 Answers1

7

You cannot have DER encoded chains by concatenating them the way you can with PEM format.

A chain in a binary format would be in PKCS#7 format. To convert a PEM chain to PKCS#7, use:

openssl crl2pkcs7 -nocrl -certfile fullchain.pem -out fullchain.p7b

Then, to see the contents:

openssl pkcs7 -in fullchain.p7b -print_certs -noout

Add -text to see all the certificate details.

If the input PEM file also contained a private key a better format would be PKCS#12 as this format can be secured with a passphrase.

garethTheRed
  • 4,009
  • 13
  • 20
  • Great! This also solves it. – ArticIceJuice Sep 01 '17 at 05:21
  • Btw, they say it is actually possible to concatenate .der certificates to import them later, see this Java snippet https://gist.github.com/spicydog/84fa0e74d8524fba1fbb – ArticIceJuice Sep 01 '17 at 05:43
  • @ArticIceJuice - I think you may well be correct :-) [generateCertificates](https://docs.oracle.com/javase/7/docs/api/java/security/cert/CertificateFactory.html#generateCertificates(java.io.InputStream)) accepts a stream of DER encoded certs. As I can't find a standard that defines certificate chains, this may well be implementation specific. – garethTheRed Sep 01 '17 at 10:04