Discussion:
application/x-x509-ca-ra-cert (SCEP Enrollment)
Santhosh Kokala
2013-02-20 19:54:00 UTC
Permalink
Hi All,
I am unable to identify the certificate format that I received during SCEP enrollment. I am attaching a copy of the cert chain that I received. Can someone please let me know how to convert the above attached certificate to PEM format?
Santhosh
Matthew Hall
2013-02-20 20:04:32 UTC
Permalink
Use the dumpasn1 utility on it, it's in almost every Linux distro, or from its
website:

http://www.cs.auckland.ac.nz/~pgut001/dumpasn1.c

Matthew.
Post by Santhosh Kokala
Hi All,
I am unable to identify the certificate format that I received during SCEP enrollment. I am attaching a copy of the cert chain that I received. Can someone please let me know how to convert the above attached certificate to PEM format?
Santhosh
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users-MCmKBN63+***@public.gmane.org
Automated List Manager majordomo-MCmKBN63+***@public.gmane.org
Dave Thompson
2013-02-20 23:51:12 UTC
Permalink
Sent: Wednesday, 20 February, 2013 15:05
Use the dumpasn1 utility on it, it's in almost every Linux
distro, or from its
http://www.cs.auckland.ac.nz/~pgut001/dumpasn1.c
Or openssl asn1parse, likely available to anyone asking here
even on non-Linux; with -inform der if applicable which it is
here (easily determinable with any kind of octal or hex dump
or a good guess for anything that doesn't look like base64).
Matthew.
Post by Santhosh Kokala
Hi All,
I am unable to identify the certificate format that I
received during SCEP enrollment. I am attaching a copy of the
cert chain that I received. Can someone please let me know
how to convert the above attached certificate to PEM format?
Post by Santhosh Kokala
Santhosh
And to answer the question, it's a trivial PKCS#7, sometimes
used to carry only (desired) certs and/or CRLs, and usually
indicated by extension .p7b or .p7c. But it's not a chain;
it's *two* end-entity certs, for different RSA keys, one for
(particular?) signing and one for (particular?) encryption;
then one CA (root) cert whose *name* matches the issuer of
the children but SKI (and actual key) doesn't match child
AKI, and thus is not the correct CA cert for these children.

"openssl pkcs7 -in $file -print_certs" displays the three
certs (each) in PEM, which you can cut apart with any
reasonable editor. The two child certs may or may not be
useful; the CA cert apparently won't.

Or less convenient you can use
openssl asn1parse -in $file -inform der
-strparse $offsetpercert -out $derfilepercert
to get each cert in DER in a file, and then use
openssl x509 -in $certder -inform der -out $certpem
to convert each to PEM. With the same results.


______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users-MCmKBN63+***@public.gmane.org
Automated List Manager majordomo-MCmKBN63+***@public.gmane.org
Matthew Hall
2013-02-21 00:09:45 UTC
Permalink
Post by Dave Thompson
Or openssl asn1parse, likely available to anyone asking here
even on non-Linux; with -inform der if applicable which it is
here (easily determinable with any kind of octal or hex dump
or a good guess for anything that doesn't look like base64).
Yeah, that works also. But the output is harder to read than that of dumpasn1.

Matthew.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users-MCmKBN63+***@public.gmane.org
Automated List Manager majordomo-MCmKBN63+***@public.gmane.org
Santhosh Kokala
2013-02-21 00:32:56 UTC
Permalink
I get this error when I try to convert it to PEM format.


[~]$ openssl pkcs7 -in ca_ra_cert.bin -print_certs
unable to load PKCS7 object
140065214732104:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:698:Expecting: PKCS7

[~]$ openssl asn1parse -in ca_ra_cert.bin -inform der -strparse 0 -out test | less
0:d=0 hl=4 l=3936 cons: SEQUENCE
4:d=1 hl=2 l= 9 prim: OBJECT :pkcs7-signedData
15:d=1 hl=4 l=3921 cons: cont [ 0 ]
19:d=2 hl=4 l=3917 cons: SEQUENCE
23:d=3 hl=2 l= 1 prim: INTEGER :01
26:d=3 hl=2 l= 0 cons: SET
28:d=3 hl=2 l= 11 cons: SEQUENCE
30:d=4 hl=2 l= 9 prim: OBJECT :pkcs7-data
41:d=3 hl=4 l=3893 cons: cont [ 0 ]
45:d=4 hl=4 l=1474 cons: SEQUENCE
49:d=5 hl=4 l=1194 cons: SEQUENCE
53:d=6 hl=2 l= 3 cons: cont [ 0 ]
55:d=7 hl=2 l= 1 prim: INTEGER :02
58:d=6 hl=2 l= 10 prim: INTEGER :610962F600000000002A
70:d=6 hl=2 l= 13 cons: SEQUENCE
72:d=7 hl=2 l= 9 prim: OBJECT :sha1WithRSAEncryption
83:d=7 hl=2 l= 0 prim: NULL
85:d=6 hl=2 l= 79 cons: SEQUENCE
87:d=7 hl=2 l= 21 cons: SET
89:d=8 hl=2 l= 19 cons: SEQUENCE
91:d=9 hl=2 l= 10 prim: OBJECT :domainComponent
103:d=9 hl=2 l= 5 prim: IA5STRING :local
110:d=7 hl=2 l= 23 cons: SET
112:d=8 hl=2 l= 21 cons: SEQUENCE
114:d=9 hl=2 l= 10 prim: OBJECT :domainComponent
126:d=9 hl=2 l= 7 prim: IA5STRING :southey
135:d=7 hl=2 l= 29 cons: SET
137:d=8 hl=2 l= 27 cons: SEQUENCE
139:d=9 hl=2 l= 3 prim: OBJECT :commonName
144:d=9 hl=2 l= 20 prim: PRINTABLESTRING :southey-DBN-DC-01-CA
166:d=6 hl=2 l= 30 cons: SEQUENCE
168:d=7 hl=2 l= 13 prim: UTCTIME :130103123245Z
183:d=7 hl=2 l= 13 prim: UTCTIME :150103123245Z
198:d=6 hl=3 l= 163 cons: SEQUENCE
201:d=7 hl=2 l= 11 cons: SET
203:d=8 hl=2 l= 9 cons: SEQUENCE
205:d=9 hl=2 l= 3 prim: OBJECT :countryName
210:d=9 hl=2 l= 2 prim: PRINTABLESTRING :ZA
214:d=7 hl=2 l= 21 cons: SET
216:d=8 hl=2 l= 19 cons: SEQUENCE
218:d=9 hl=2 l= 3 prim: OBJECT :stateOrProvinceName
223:d=9 hl=2 l= 12 prim: PRINTABLESTRING :KwazuluNatal
237:d=7 hl=2 l= 15 cons: SET
239:d=8 hl=2 l= 13 cons: SEQUENCE
241:d=9 hl=2 l= 3 prim: OBJECT :localityName
246:d=9 hl=2 l= 6 prim: PRINTABLESTRING :Durban
254:d=7 hl=2 l= 25 cons: SET
256:d=8 hl=2 l= 23 cons: SEQUENCE
258:d=9 hl=2 l= 3 prim: OBJECT :organizationName
263:d=9 hl=2 l= 16 prim: PRINTABLESTRING :Southey Holdings
281:d=7 hl=2 l= 11 cons: SET
283:d=8 hl=2 l= 9 cons: SEQUENCE
285:d=9 hl=2 l= 3 prim: OBJECT :organizationalUnitName
290:d=9 hl=2 l= 2 prim: PRINTABLESTRING :IT
294:d=7 hl=2 l= 27 cons: SET
296:d=8 hl=2 l= 25 cons: SEQUENCE
298:d=9 hl=2 l= 3 prim: OBJECT :commonName
303:d=9 hl=2 l= 18 prim: PRINTABLESTRING :DBN-DC-01-MSCEP-RA
323:d=7 hl=2 l= 39 cons: SET
325:d=8 hl=2 l= 37 cons: SEQUENCE

-----Original Message-----
From: owner-openssl-users-MCmKBN63+***@public.gmane.org [mailto:owner-openssl-***@openssl.org] On Behalf Of Dave Thompson
Sent: Wednesday, February 20, 2013 3:51 PM
To: openssl-users-MCmKBN63+***@public.gmane.org
Subject: RE: application/x-x509-ca-ra-cert (SCEP Enrollment)
Sent: Wednesday, 20 February, 2013 15:05
Use the dumpasn1 utility on it, it's in almost every Linux distro, or from its
http://www.cs.auckland.ac.nz/~pgut001/dumpasn1.c
Or openssl asn1parse, likely available to anyone asking here even on non-Linux; with -inform der if applicable which it is here (easily determinable with any kind of octal or hex dump or a good guess for anything that doesn't look like base64).
Matthew.
Post by Santhosh Kokala
Hi All,
I am unable to identify the certificate format that I
received during SCEP enrollment. I am attaching a copy of the cert
chain that I received. Can someone please let me know how to convert
the above attached certificate to PEM format?
Post by Santhosh Kokala
Santhosh
And to answer the question, it's a trivial PKCS#7, sometimes used to carry only (desired) certs and/or CRLs, and usually indicated by extension .p7b or .p7c. But it's not a chain; it's *two* end-entity certs, for different RSA keys, one for
(particular?) signing and one for (particular?) encryption; then one CA (root) cert whose *name* matches the issuer of the children but SKI (and actual key) doesn't match child AKI, and thus is not the correct CA cert for these children.

"openssl pkcs7 -in $file -print_certs" displays the three certs (each) in PEM, which you can cut apart with any reasonable editor. The two child certs may or may not be useful; the CA cert apparently won't.

Or less convenient you can use
openssl asn1parse -in $file -inform der
-strparse $offsetpercert -out $derfilepercert to get each cert in DER in a file, and then use
openssl x509 -in $certder -inform der -out $certpem to convert each to PEM. With the same results.


______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users-MCmKBN63+***@public.gmane.org
Automated List Manager majordomo-MCmKBN63+***@public.gmane.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users-MCmKBN63+***@public.gmane.org
Automated List Manager majordomo-MCmKBN63+***@public.gmane.org
Dave Thompson
2013-02-21 08:31:38 UTC
Permalink
Sent: Wednesday, 20 February, 2013 19:33
I get this error when I try to convert it to PEM format.
[~]$ openssl pkcs7 -in ca_ra_cert.bin -print_certs
unable to load PKCS7 object
140065214732104:error:0906D06C:PEM routines:PEM_read_bio:no
start line:pem_lib.c:698:Expecting: PKCS7
See below.
[~]$ openssl asn1parse -in ca_ra_cert.bin -inform der
-strparse 0 -out test | less
-strparse 0 -out $file is silly, that just copies the
(valid) file you already have. See below.
-----Original Message-----
Sent: Wednesday, February 20, 2013 3:51 PM
<snip>
Or openssl asn1parse, likely available to anyone asking here
even on non-Linux; with -inform der if applicable which it is
here (easily determinable with any kind of octal or hex dump
or a good guess for anything that doesn't look like base64).
<snip>
"openssl pkcs7 -in $file -print_certs" displays the three
certs (each) in PEM, which you can cut apart with any
reasonable editor. The two child certs may or may not be
useful; the CA cert apparently won't.
Sorry I left it out, but you might have put 2 and 2 torgether;
"openssl pkcs7" like asn1parse needs -inform der if the file
is DER, which yours is.
Or less convenient you can use
openssl asn1parse -in $file -inform der
-strparse $offsetpercert -out $derfilepercert to get each
cert in DER in a file, and then use
openssl x509 -in $certder -inform der -out $certpem to
convert each to PEM. With the same results.
For the three certs in yhour message the -strparse offsets
would be 45 1523 2983 .


______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users-MCmKBN63+***@public.gmane.org
Automated List Manager majordomo-MCmKBN63+***@public.gmane.org
Loading...