How to dump all certificates from a file?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

How to dump all certificates from a file?

Nan Xiao
Hi OpenSSL users,

Greetings from me! By default openssl-x509 can only dump one
certificate from the file:

# openssl x509 --in /etc/ssl/cacert.pem --text --noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            84:82:2c:5f:1c:62:d0:40
        Signature Algorithm: sha256WithRSAEncryption
......

I checked the code
(https://github.com/openssl/openssl/blob/493e78986f9677c2b321273da51c276b9a8182d8/apps/lib/apps.c#L945):
it seems openssl-x509 only dumps the first valid one. I also went
through the manual
(https://www.openssl.org/docs/man1.1.1/man1/openssl-x509.html), and
can't find a method to dump all certificates.

Could anyone give some clues in dumping all certificates from a file?
Thanks very much in advance!

Best Regards
Nan Xiao
Reply | Threaded
Open this post in threaded view
|

Re: How to dump all certificates from a file?

Viktor Dukhovni
On Wed, Apr 07, 2021 at 10:14:42AM +0800, Nan Xiao wrote:

> Greetings from me! By default openssl-x509 can only dump one
> certificate from the file:

By "a file" you clearly mean a "PEM file" with one or more certificates
exclosed in "-----BEGIN ...".."-----END ..." delimiters.  With that
proviso, the command in question is:

    openssl crl2pkcs7 -nocrl -certfile somefile.pem |
        opessl pkcs7 -print_certs -text

The output format can be tweaked slightly, though not quite as much as
will "openssl x509".  See the pkcs7(1) manpage for details.

--
    Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: How to dump all certificates from a file?

Nan Xiao
Hi Viktor,

> By "a file" you clearly mean a "PEM file" with one or more certificates
exclosed in "-----BEGIN ...".."-----END ..." delimiters.

Yes, this is what I mean.

> openssl crl2pkcs7 -nocrl -certfile somefile.pem |
        opessl pkcs7 -print_certs -text

Works like a charm! Thanks very much for your time and quick response!

Best Regards
Nan Xiao

On Wed, Apr 7, 2021 at 10:46 AM Viktor Dukhovni
<[hidden email]> wrote:

>
> On Wed, Apr 07, 2021 at 10:14:42AM +0800, Nan Xiao wrote:
>
> > Greetings from me! By default openssl-x509 can only dump one
> > certificate from the file:
>
> By "a file" you clearly mean a "PEM file" with one or more certificates
> exclosed in "-----BEGIN ...".."-----END ..." delimiters.  With that
> proviso, the command in question is:
>
>     openssl crl2pkcs7 -nocrl -certfile somefile.pem |
>         opessl pkcs7 -print_certs -text
>
> The output format can be tweaked slightly, though not quite as much as
> will "openssl x509".  See the pkcs7(1) manpage for details.
>
> --
>     Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: How to dump all certificates from a file?

David von Oheimb-2
I also had this problem several years back but did not find the nifty
though counter-intuitive workaround using cr2pkcs7 given below.

Since then I've been using a Perl script like this:

> #!/usr/bin/perl
> $/ = '-----END CERTIFICATE-----';
> while(<>) {
>     if(m|$/|s) {
>         print STDERR "########## $ARGV ##########\n";
>         system "echo '$_' | openssl x509 -noout -text";
>     }
> }

which unfortunately does not work with "TRUSTED CERTIFICATE".

I think the x509 command should be extended to print all certs.

        David

On 7 April 2021 04:58:38 CEST, Nan Xiao <[hidden email]> wrote:

> Hi Viktor,
>
> > By "a file" you clearly mean a "PEM file" with one or more certificates
> exclosed in "-----BEGIN ...".."-----END ..." delimiters.
>
> Yes, this is what I mean.
>
> > openssl crl2pkcs7 -nocrl -certfile somefile.pem |
>         opessl pkcs7 -print_certs -text
>
> Works like a charm! Thanks very much for your time and quick response!
>
> Best Regards
> Nan Xiao
>
> On Wed, Apr 7, 2021 at 10:46 AM Viktor Dukhovni
> <[hidden email]> wrote:
> >
> > On Wed, Apr 07, 2021 at 10:14:42AM +0800, Nan Xiao wrote:
> >
> > > Greetings from me! By default openssl-x509 can only dump one
> > > certificate from the file:
> >
> > By "a file" you clearly mean a "PEM file" with one or more certificates
> > exclosed in "-----BEGIN ...".."-----END ..." delimiters.  With that
> > proviso, the command in question is:
> >
> >     openssl crl2pkcs7 -nocrl -certfile somefile.pem |
> >         opessl pkcs7 -print_certs -text
> >
> > The output format can be tweaked slightly, though not quite as much as
> > will "openssl x509".  See the pkcs7(1) manpage for details.
> >
> > --
> >     Viktor.
>