Quantcast

application/x-x509-ca-ra-cert (SCEP Enrollment)

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

application/x-x509-ca-ra-cert (SCEP Enrollment)

Santhosh Kokala
Hi All,
I am unable to identify the certificate format that I received during SCEP enrollment. I am attaching a copy of the cert chain that I received. Can someone please let me know how to convert the above attached certificate to PEM format?
Santhosh

ca_ra_cert.bin (5K) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: application/x-x509-ca-ra-cert (SCEP Enrollment)

Matthew Hall
Use the dumpasn1 utility on it, it's in almost every Linux distro, or from its
website:

http://www.cs.auckland.ac.nz/~pgut001/dumpasn1.c

Matthew.

On Wed, Feb 20, 2013 at 07:54:00PM +0000, Santhosh Kokala wrote:
> Hi All,
> I am unable to identify the certificate format that I received during SCEP enrollment. I am attaching a copy of the cert chain that I received. Can someone please let me know how to convert the above attached certificate to PEM format?
> Santhosh


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: application/x-x509-ca-ra-cert (SCEP Enrollment)

Dave Thompson-5
> From: [hidden email] On Behalf Of Matthew Hall
> Sent: Wednesday, 20 February, 2013 15:05

> Use the dumpasn1 utility on it, it's in almost every Linux
> distro, or from its
> website:
>
> http://www.cs.auckland.ac.nz/~pgut001/dumpasn1.c
>
Or openssl asn1parse, likely available to anyone asking here
even on non-Linux; with -inform der if applicable which it is
here (easily determinable with any kind of octal or hex dump
or a good guess for anything that doesn't look like base64).

> Matthew.
>
> On Wed, Feb 20, 2013 at 07:54:00PM +0000, Santhosh Kokala wrote:
> > Hi All,
> > I am unable to identify the certificate format that I
> received during SCEP enrollment. I am attaching a copy of the
> cert chain that I received. Can someone please let me know
> how to convert the above attached certificate to PEM format?
> > Santhosh
>
And to answer the question, it's a trivial PKCS#7, sometimes
used to carry only (desired) certs and/or CRLs, and usually
indicated by extension .p7b or .p7c. But it's not a chain;
it's *two* end-entity certs, for different RSA keys, one for
(particular?) signing and one for (particular?) encryption;
then one CA (root) cert whose *name* matches the issuer of
the children but SKI (and actual key) doesn't match child
AKI, and thus is not the correct CA cert for these children.

"openssl pkcs7 -in $file -print_certs" displays the three
certs (each) in PEM, which you can cut apart with any
reasonable editor. The two child certs may or may not be
useful; the CA cert apparently won't.

Or less convenient you can use
  openssl asn1parse -in $file -inform der
  -strparse $offsetpercert -out $derfilepercert
to get each cert in DER in a file, and then use
  openssl x509 -in $certder -inform der -out $certpem
to convert each to PEM. With the same results.


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: application/x-x509-ca-ra-cert (SCEP Enrollment)

Matthew Hall
On Wed, Feb 20, 2013 at 06:51:12PM -0500, Dave Thompson wrote:
> Or openssl asn1parse, likely available to anyone asking here
> even on non-Linux; with -inform der if applicable which it is
> here (easily determinable with any kind of octal or hex dump
> or a good guess for anything that doesn't look like base64).

Yeah, that works also. But the output is harder to read than that of dumpasn1.

Matthew.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: application/x-x509-ca-ra-cert (SCEP Enrollment)

Santhosh Kokala
In reply to this post by Dave Thompson-5
I get this error when I try to convert it to PEM format.


[~]$ openssl pkcs7 -in ca_ra_cert.bin -print_certs
unable to load PKCS7 object
140065214732104:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:698:Expecting: PKCS7

[~]$ openssl asn1parse -in ca_ra_cert.bin -inform der -strparse 0 -out test | less
   0:d=0  hl=4 l=3936 cons: SEQUENCE
    4:d=1  hl=2 l=   9 prim: OBJECT            :pkcs7-signedData
   15:d=1  hl=4 l=3921 cons: cont [ 0 ]
   19:d=2  hl=4 l=3917 cons: SEQUENCE
   23:d=3  hl=2 l=   1 prim: INTEGER           :01
   26:d=3  hl=2 l=   0 cons: SET
   28:d=3  hl=2 l=  11 cons: SEQUENCE
   30:d=4  hl=2 l=   9 prim: OBJECT            :pkcs7-data
   41:d=3  hl=4 l=3893 cons: cont [ 0 ]
   45:d=4  hl=4 l=1474 cons: SEQUENCE
   49:d=5  hl=4 l=1194 cons: SEQUENCE
   53:d=6  hl=2 l=   3 cons: cont [ 0 ]
   55:d=7  hl=2 l=   1 prim: INTEGER           :02
   58:d=6  hl=2 l=  10 prim: INTEGER           :610962F600000000002A
   70:d=6  hl=2 l=  13 cons: SEQUENCE
   72:d=7  hl=2 l=   9 prim: OBJECT            :sha1WithRSAEncryption
   83:d=7  hl=2 l=   0 prim: NULL
   85:d=6  hl=2 l=  79 cons: SEQUENCE
   87:d=7  hl=2 l=  21 cons: SET
   89:d=8  hl=2 l=  19 cons: SEQUENCE
   91:d=9  hl=2 l=  10 prim: OBJECT            :domainComponent
  103:d=9  hl=2 l=   5 prim: IA5STRING         :local
  110:d=7  hl=2 l=  23 cons: SET
  112:d=8  hl=2 l=  21 cons: SEQUENCE
  114:d=9  hl=2 l=  10 prim: OBJECT            :domainComponent
  126:d=9  hl=2 l=   7 prim: IA5STRING         :southey
  135:d=7  hl=2 l=  29 cons: SET
  137:d=8  hl=2 l=  27 cons: SEQUENCE
  139:d=9  hl=2 l=   3 prim: OBJECT            :commonName
  144:d=9  hl=2 l=  20 prim: PRINTABLESTRING   :southey-DBN-DC-01-CA
  166:d=6  hl=2 l=  30 cons: SEQUENCE
  168:d=7  hl=2 l=  13 prim: UTCTIME           :130103123245Z
  183:d=7  hl=2 l=  13 prim: UTCTIME           :150103123245Z
  198:d=6  hl=3 l= 163 cons: SEQUENCE
  201:d=7  hl=2 l=  11 cons: SET
  203:d=8  hl=2 l=   9 cons: SEQUENCE
  205:d=9  hl=2 l=   3 prim: OBJECT            :countryName
  210:d=9  hl=2 l=   2 prim: PRINTABLESTRING   :ZA
  214:d=7  hl=2 l=  21 cons: SET
  216:d=8  hl=2 l=  19 cons: SEQUENCE
  218:d=9  hl=2 l=   3 prim: OBJECT            :stateOrProvinceName
  223:d=9  hl=2 l=  12 prim: PRINTABLESTRING   :KwazuluNatal
  237:d=7  hl=2 l=  15 cons: SET
  239:d=8  hl=2 l=  13 cons: SEQUENCE
  241:d=9  hl=2 l=   3 prim: OBJECT            :localityName
  246:d=9  hl=2 l=   6 prim: PRINTABLESTRING   :Durban
  254:d=7  hl=2 l=  25 cons: SET
  256:d=8  hl=2 l=  23 cons: SEQUENCE
  258:d=9  hl=2 l=   3 prim: OBJECT            :organizationName
  263:d=9  hl=2 l=  16 prim: PRINTABLESTRING   :Southey Holdings
  281:d=7  hl=2 l=  11 cons: SET
  283:d=8  hl=2 l=   9 cons: SEQUENCE
  285:d=9  hl=2 l=   3 prim: OBJECT            :organizationalUnitName
  290:d=9  hl=2 l=   2 prim: PRINTABLESTRING   :IT
  294:d=7  hl=2 l=  27 cons: SET
  296:d=8  hl=2 l=  25 cons: SEQUENCE
  298:d=9  hl=2 l=   3 prim: OBJECT            :commonName
  303:d=9  hl=2 l=  18 prim: PRINTABLESTRING   :DBN-DC-01-MSCEP-RA
  323:d=7  hl=2 l=  39 cons: SET
  325:d=8  hl=2 l=  37 cons: SEQUENCE

-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of Dave Thompson
Sent: Wednesday, February 20, 2013 3:51 PM
To: [hidden email]
Subject: RE: application/x-x509-ca-ra-cert (SCEP Enrollment)

> From: [hidden email] On Behalf Of Matthew Hall
> Sent: Wednesday, 20 February, 2013 15:05

> Use the dumpasn1 utility on it, it's in almost every Linux distro, or
> from its
> website:
>
> http://www.cs.auckland.ac.nz/~pgut001/dumpasn1.c
>
Or openssl asn1parse, likely available to anyone asking here even on non-Linux; with -inform der if applicable which it is here (easily determinable with any kind of octal or hex dump or a good guess for anything that doesn't look like base64).

> Matthew.
>
> On Wed, Feb 20, 2013 at 07:54:00PM +0000, Santhosh Kokala wrote:
> > Hi All,
> > I am unable to identify the certificate format that I
> received during SCEP enrollment. I am attaching a copy of the cert
> chain that I received. Can someone please let me know how to convert
> the above attached certificate to PEM format?
> > Santhosh
>
And to answer the question, it's a trivial PKCS#7, sometimes used to carry only (desired) certs and/or CRLs, and usually indicated by extension .p7b or .p7c. But it's not a chain; it's *two* end-entity certs, for different RSA keys, one for
(particular?) signing and one for (particular?) encryption; then one CA (root) cert whose *name* matches the issuer of the children but SKI (and actual key) doesn't match child AKI, and thus is not the correct CA cert for these children.

"openssl pkcs7 -in $file -print_certs" displays the three certs (each) in PEM, which you can cut apart with any reasonable editor. The two child certs may or may not be useful; the CA cert apparently won't.

Or less convenient you can use
  openssl asn1parse -in $file -inform der
  -strparse $offsetpercert -out $derfilepercert to get each cert in DER in a file, and then use
  openssl x509 -in $certder -inform der -out $certpem to convert each to PEM. With the same results.


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: application/x-x509-ca-ra-cert (SCEP Enrollment)

Dave Thompson-5
> From: [hidden email] On Behalf Of Santhosh Kokala
> Sent: Wednesday, 20 February, 2013 19:33

> I get this error when I try to convert it to PEM format.
>
>
> [~]$ openssl pkcs7 -in ca_ra_cert.bin -print_certs
> unable to load PKCS7 object
> 140065214732104:error:0906D06C:PEM routines:PEM_read_bio:no
> start line:pem_lib.c:698:Expecting: PKCS7
>
See below.

> [~]$ openssl asn1parse -in ca_ra_cert.bin -inform der
> -strparse 0 -out test | less

-strparse 0 -out $file is silly, that just copies the
(valid) file you already have. See below.

> -----Original Message-----
> From: [hidden email]
> [mailto:[hidden email]] On Behalf Of Dave Thompson
> Sent: Wednesday, February 20, 2013 3:51 PM
<snip>
> Or openssl asn1parse, likely available to anyone asking here
> even on non-Linux; with -inform der if applicable which it is
> here (easily determinable with any kind of octal or hex dump
> or a good guess for anything that doesn't look like base64).
<snip>
> "openssl pkcs7 -in $file -print_certs" displays the three
> certs (each) in PEM, which you can cut apart with any
> reasonable editor. The two child certs may or may not be
> useful; the CA cert apparently won't.
>
Sorry I left it out, but you might have put 2 and 2 torgether;
"openssl pkcs7" like asn1parse needs -inform der if the file
is DER, which yours is.

> Or less convenient you can use
>   openssl asn1parse -in $file -inform der
>   -strparse $offsetpercert -out $derfilepercert to get each
> cert in DER in a file, and then use
>   openssl x509 -in $certder -inform der -out $certpem to
> convert each to PEM. With the same results.
>
For the three certs in yhour message the -strparse offsets
would be  45 1523 2983 .


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Loading...