How to get all certs into a .der file.

classic Classic list List threaded Threaded
11 messages Options
Reply | Threaded
Open this post in threaded view
|

How to get all certs into a .der file.

paul h. roubekas

I am a complete newbie to this list.

I wanted to search the archive but found no such page.

 

I have a requirement to convert all certs in a *.p12 file to a *.der file for use in the curl command.

The first hop to a *.pem file has all the certs.

But the second hop only has one cert.  The I read the docs but found nothing that looked even close.

Hop 1

openssl pkcs12 -chain -in trust.p12 -out ww_temp.pem  -password {redacted}

 

Hop 2

openssl x509 -outform der -in ww_temp.pem -out ww_temp.der

 

The Question) How do I get all the certs in the .der file?

Reply | Threaded
Open this post in threaded view
|

Re: How to get all certs into a .der file.

Kyle Hamilton
If you need multiple certificates in a single DER structure, you're looking for something to create a "PKIpath". I've never heard of curl requiring such, though.  Chances are it will handle the PEM chain just fine.

What curl command line are you trying to use?

-Kyle H

On Thu, May 21, 2020, 18:00 paul h. roubekas <[hidden email]> wrote:

I am a complete newbie to this list.

I wanted to search the archive but found no such page.

 

I have a requirement to convert all certs in a *.p12 file to a *.der file for use in the curl command.

The first hop to a *.pem file has all the certs.

But the second hop only has one cert.  The I read the docs but found nothing that looked even close.

Hop 1

openssl pkcs12 -chain -in trust.p12 -out ww_temp.pem  -password {redacted}

 

Hop 2

openssl x509 -outform der -in ww_temp.pem -out ww_temp.der

 

The Question) How do I get all the certs in the .der file?

Reply | Threaded
Open this post in threaded view
|

Re: How to get all certs into a .der file.

Richard Levitte - VMS Whacker-2
In reply to this post by paul h. roubekas
Generally speaking, OpenSSL hasn't exactly encouraged multiple objects
in one DER file.  While it's theoretically possible to have several
objects in such a file file, there is code in OpenSSL where that's
simply not considered.  For example, this snippet in the man-page
'X509_LOOKUP_file' is quite clear:

   Functions X509_load_cert_file and X509_load_crl_file can load both PEM
   and DER formats depending of type value. Because DER format cannot
   contain more than one certificate or CRL object (while PEM can contain
   several concatenated PEM objects) X509_load_cert_crl_file with
   FILETYPE_ASN1 is equivalent to X509_load_cert_file.

The functions described there are also used by functions like
X509_LOOKUP_load_file().

Note that this may change going forward, as OSSL_STORE is gradually
entering the scene, and does provide a bit better flexibility in this
regard.
(We have recently added an X509_LOOKUP variant that uses OSSL_STORE
for its object retrieval, see the section 'OSSL_STORE Method' in
doc/man3/X509_LOOKUP_hash_dir.pod in recent OpenSSL source, such as
the alpha releases)

Cheers,
Richard

On Fri, 22 May 2020 00:53:39 +0200,
paul h. roubekas wrote:

> I am a complete newbie to this list.
>
> I wanted to search the archive but found no such page.
>
> I have a requirement to convert all certs in a *.p12 file to a *.der file for use in the curl
> command.
>
> The first hop to a *.pem file has all the certs.
>
> But the second hop only has one cert.  The I read the docs but found nothing that looked even
> close.
>
> Hop 1
>
> openssl pkcs12 -chain -in trust.p12 -out ww_temp.pem  -password {redacted}
>
> Hop 2
>
> openssl x509 -outform der -in ww_temp.pem -out ww_temp.der
>
> The Question) How do I get all the certs in the .der file?
>
>
--
Richard Levitte         [hidden email]
OpenSSL Project         http://www.openssl.org/~levitte/
Reply | Threaded
Open this post in threaded view
|

Re: How to get all certs into a .der file.

Kyle Hamilton
There is a format that puts all DER certificates into a single DER-formatted structure.  It is called PKIpath, and it's defined as `SEQUENCE OF Certificate`.  The problem with it is that its order was standardized by X.509 2001 TC1 to begin with the root and continue to the leaf, which is backwards from how TLS present the certificate chain.  (Java's JCA/JCE were specified before that corrigendum issued, and its PKIpath validation goes by the convention in use at the time to put the leaf certificate first, like pem-certificate-chain.)

I don't have my computer open to get you the PKIX-WG RFCs which define it and specify the same order as the TC1, but if you're curious you can chase them down by looking up IANA's list of media types and searching for "application/pkix-pkipath".

-Kyle H


On Fri, May 22, 2020, 00:55 Richard Levitte <[hidden email]> wrote:
Generally speaking, OpenSSL hasn't exactly encouraged multiple objects
in one DER file.  While it's theoretically possible to have several
objects in such a file file, there is code in OpenSSL where that's
simply not considered.  For example, this snippet in the man-page
'X509_LOOKUP_file' is quite clear:

   Functions X509_load_cert_file and X509_load_crl_file can load both PEM
   and DER formats depending of type value. Because DER format cannot
   contain more than one certificate or CRL object (while PEM can contain
   several concatenated PEM objects) X509_load_cert_crl_file with
   FILETYPE_ASN1 is equivalent to X509_load_cert_file.

The functions described there are also used by functions like
X509_LOOKUP_load_file().

Note that this may change going forward, as OSSL_STORE is gradually
entering the scene, and does provide a bit better flexibility in this
regard.
(We have recently added an X509_LOOKUP variant that uses OSSL_STORE
for its object retrieval, see the section 'OSSL_STORE Method' in
doc/man3/X509_LOOKUP_hash_dir.pod in recent OpenSSL source, such as
the alpha releases)

Cheers,
Richard

On Fri, 22 May 2020 00:53:39 +0200,
paul h. roubekas wrote:
> I am a complete newbie to this list.
>
> I wanted to search the archive but found no such page.
>
> I have a requirement to convert all certs in a *.p12 file to a *.der file for use in the curl
> command.
>
> The first hop to a *.pem file has all the certs.
>
> But the second hop only has one cert.  The I read the docs but found nothing that looked even
> close.
>
> Hop 1
>
> openssl pkcs12 -chain -in trust.p12 -out ww_temp.pem  -password {redacted}
>
> Hop 2
>
> openssl x509 -outform der -in ww_temp.pem -out ww_temp.der
>
> The Question) How do I get all the certs in the .der file?
>
>
--
Richard Levitte         [hidden email]
OpenSSL Project         http://www.openssl.org/~levitte/
Reply | Threaded
Open this post in threaded view
|

RE: [EXTERNAL] How to get all certs into a .der file.

OpenSSL - User mailing list
In reply to this post by paul h. roubekas

According to the documentation, cURL can use p12 files just fine.

 

curl --cert bob.p12:bobspassword --cert-type p12 https://some.secure.site

Or you can omit the password part and use –key mykey with your password in the mykey file, in order to hide the password from PS queries.

From: openssl-users <[hidden email]> On Behalf Of paul h. roubekas
Sent: Thursday, May 21, 2020 4:54 PM
To: [hidden email]
Subject: [EXTERNAL] How to get all certs into a .der file.

 

I am a complete newbie to this list.

I wanted to search the archive but found no such page.

 

I have a requirement to convert all certs in a *.p12 file to a *.der file for use in the curl command.

The first hop to a *.pem file has all the certs.

But the second hop only has one cert.  The I read the docs but found nothing that looked even close.

 

Hop 1

openssl pkcs12 -chain -in trust.p12 -out ww_temp.pem  -password {redacted}

 

Hop 2

openssl x509 -outform der -in ww_temp.pem -out ww_temp.der

 

The Question) How do I get all the certs in the .der file?

Reply | Threaded
Open this post in threaded view
|

Re: How to get all certs into a .der file.

Richard Levitte - VMS Whacker-2
In reply to this post by Kyle Hamilton
I'm pretty sure I can find it on my own.  Not saying that I won't
thankfully receive links to interesting information, mind you!

That being said, there is currently no support (no deserializer) for
PKIpath in OpenSSL.

(BTW, since it's a SEQUENCE OF, the outermost object in such a DER
file amounts to only one, even though it then contains a series of
certificates, so that's not really part of the discussion here)

Cheers,
Richard

On Fri, 22 May 2020 09:41:53 +0200,
Kyle Hamilton wrote:

>
> There is a format that puts all DER certificates into a single DER-formatted structure.  It is
> called PKIpath, and it's defined as `SEQUENCE OF Certificate`.  The problem with it is that its
> order was standardized by X.509 2001 TC1 to begin with the root and continue to the leaf, which is
> backwards from how TLS present the certificate chain.  (Java's JCA/JCE were specified before that
> corrigendum issued, and its PKIpath validation goes by the convention in use at the time to put
> the leaf certificate first, like pem-certificate-chain.)
>
> I don't have my computer open to get you the PKIX-WG RFCs which define it and specify the same
> order as the TC1, but if you're curious you can chase them down by looking up IANA's list of media
> types and searching for "application/pkix-pkipath".
>
> -Kyle H
>
> On Fri, May 22, 2020, 00:55 Richard Levitte <[hidden email]> wrote:
>
>     Generally speaking, OpenSSL hasn't exactly encouraged multiple objects
>     in one DER file.  While it's theoretically possible to have several
>     objects in such a file file, there is code in OpenSSL where that's
>     simply not considered.  For example, this snippet in the man-page
>     'X509_LOOKUP_file' is quite clear:
>    
>        Functions X509_load_cert_file and X509_load_crl_file can load both PEM
>        and DER formats depending of type value. Because DER format cannot
>        contain more than one certificate or CRL object (while PEM can contain
>        several concatenated PEM objects) X509_load_cert_crl_file with
>        FILETYPE_ASN1 is equivalent to X509_load_cert_file.
>    
>     The functions described there are also used by functions like
>     X509_LOOKUP_load_file().
>    
>     Note that this may change going forward, as OSSL_STORE is gradually
>     entering the scene, and does provide a bit better flexibility in this
>     regard.
>     (We have recently added an X509_LOOKUP variant that uses OSSL_STORE
>     for its object retrieval, see the section 'OSSL_STORE Method' in
>     doc/man3/X509_LOOKUP_hash_dir.pod in recent OpenSSL source, such as
>     the alpha releases)
>    
>     Cheers,
>     Richard
>    
>     On Fri, 22 May 2020 00:53:39 +0200,
>     paul h. roubekas wrote:
>     > I am a complete newbie to this list.
>     >
>     > I wanted to search the archive but found no such page.
>     >
>     > I have a requirement to convert all certs in a *.p12 file to a *.der file for use in the
>     curl
>     > command.
>     >
>     > The first hop to a *.pem file has all the certs.
>     >
>     > But the second hop only has one cert.  The I read the docs but found nothing that looked
>     even
>     > close.
>     >
>     > Hop 1
>     >
>     > openssl pkcs12 -chain -in trust.p12 -out ww_temp.pem  -password {redacted}
>     >
>     > Hop 2
>     >
>     > openssl x509 -outform der -in ww_temp.pem -out ww_temp.der
>     >
>     > The Question) How do I get all the certs in the .der file?
>     >
>     >
>     --
>     Richard Levitte         [hidden email]
>     OpenSSL Project         http://www.openssl.org/~levitte/
>
>
--
Richard Levitte         [hidden email]
OpenSSL Project         http://www.openssl.org/~levitte/
Reply | Threaded
Open this post in threaded view
|

Re: How to get all certs into a .der file.

Viktor Dukhovni
In reply to this post by paul h. roubekas
On Thu, May 21, 2020 at 06:53:39PM -0400, paul h. roubekas wrote:

> I have a requirement to convert all certs in a *.p12 file to a *.der file
> for use in the curl command.

Perhaps I can crystalise some of the replies for you.  The basic issue
is that **DER is not a file format**, rather:

    * DER is binary encoding for a single data structure (object, a.k.a.
      PDU or Protocol Data Unit), generally used only for objects with a
      standardised ASN.1 schema.

One can of course write a DER serialied data structure to a file,
transmit it in network packet, ...

But, what one can't do (in contrast with PEM) is just concatenate
multiple DER objects together to get a meaningful multi-object store.
For that, you need a standardised container structure that can be
written in DER form, that *internally* holds multiple objects.

Ideally, something less bletcherous than PKCS#12 (inflicted on humanity
by some sadistic deity as punishment for ancestral sins).

--
    Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: How to get all certs into a .der file.

Kyle Hamilton
application/pkix-pkipath
Defined in RFC4366 (section 8) and RFC6066 (section 10.1)

PkiPath ::= SEQUENCE OF Certificate

Within the sequence, the order of certificates is such that the subject of the first certificate is the issuer of the second certificate, etc.

(It's also defined in ITU-T Recommendation X.509(2000) Corrigendum 1(2001) | ISI/IEC 9594-82001/Cor.1:2002, Technical Corrigendum 1 to ISO/IEC 9594:8:2001.  However, the assignment of the application/pkix-pkipath identifier was done in RFC4366 anf RFC6066.)

-Kyle H

On Fri, May 22, 2020, 13:57 Viktor Dukhovni <[hidden email]> wrote:
On Thu, May 21, 2020 at 06:53:39PM -0400, paul h. roubekas wrote:

> I have a requirement to convert all certs in a *.p12 file to a *.der file
> for use in the curl command.

Perhaps I can crystalise some of the replies for you.  The basic issue
is that **DER is not a file format**, rather:

    * DER is binary encoding for a single data structure (object, a.k.a.
      PDU or Protocol Data Unit), generally used only for objects with a
      standardised ASN.1 schema.

One can of course write a DER serialied data structure to a file,
transmit it in network packet, ...

But, what one can't do (in contrast with PEM) is just concatenate
multiple DER objects together to get a meaningful multi-object store.
For that, you need a standardised container structure that can be
written in DER form, that *internally* holds multiple objects.

Ideally, something less bletcherous than PKCS#12 (inflicted on humanity
by some sadistic deity as punishment for ancestral sins).

--
    Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: How to get all certs into a .der file.

Viktor Dukhovni
On Fri, May 22, 2020 at 04:31:02PM -0500, Kyle Hamilton wrote:

> application/pkix-pkipath
> Defined in RFC4366 (section 8) and RFC6066 (section 10.1)
>
> PkiPath ::= SEQUENCE OF Certificate
>
> Within the sequence, the order of certificates is such that the subject of
> the first certificate is the issuer of the second certificate, etc.

One can also use PKCS#7 (Microsft uses the .SPC file extension):

    $ openssl crl2pkcs7 -nocrl -certfile certs.pem -outform DER

That's perhaps more likely to be what the OP wants, if indeed he wants a
commonly used DER-form multi-cert (no keys) object:

    https://www.file-extensions.org/spc-file-extension-pkcs-7-certificate

--
    Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: How to get all certs into a .der file.

OpenSSL - User mailing list
In reply to this post by Kyle Hamilton
  • application/pkix-pkipath
  • Defined in RFC4366 (section 8) and RFC6066 (section 10.1)

 

I doubt that it is worth doing this.  First, because OpenSSL doesn’t support it now, then CURL (what the original poster was talking about) can’t use it when using OpenSSL.  Instead, as others have pointed out, they should use a text file that has a bunch of PEM blobs concatenated.

 

Do we know any application that needs this?

Reply | Threaded
Open this post in threaded view
|

Re: How to get all certs into a .der file.

Blumenthal, Uri - 0553 - MITLL
As far as I know, CURL (app and library) is perfectly happy to use a text file comprised of concatenated PEM certificates. 

I really wonder if there’s a real use case. 

On May 22, 2020, at 18:49, Salz, Rich via openssl-users <[hidden email]> wrote:


  • application/pkix-pkipath
  • Defined in RFC4366 (section 8) and RFC6066 (section 10.1)

 

I doubt that it is worth doing this.  First, because OpenSSL doesn’t support it now, then CURL (what the original poster was talking about) can’t use it when using OpenSSL.  Instead, as others have pointed out, they should use a text file that has a bunch of PEM blobs concatenated.

 

Do we know any application that needs this?


smime.p7s (7K) Download Attachment