How to get all certs into a .der file.

Fri May 22 07:41:53 UTC 2020

There is a format that puts all DER certificates into a single
DER-formatted structure.  It is called PKIpath, and it's defined as
`SEQUENCE OF Certificate`.  The problem with it is that its order was
standardized by X.509 2001 TC1 to begin with the root and continue to the
leaf, which is backwards from how TLS present the certificate chain.
(Java's JCA/JCE were specified before that corrigendum issued, and its
PKIpath validation goes by the convention in use at the time to put the
leaf certificate first, like pem-certificate-chain.)

I don't have my computer open to get you the PKIX-WG RFCs which define it
and specify the same order as the TC1, but if you're curious you can chase
them down by looking up IANA's list of media types and searching for
"application/pkix-pkipath".

-Kyle H

On Fri, May 22, 2020, 00:55 Richard Levitte <levitte at openssl.org> wrote:

> Generally speaking, OpenSSL hasn't exactly encouraged multiple objects
> in one DER file.  While it's theoretically possible to have several
> objects in such a file file, there is code in OpenSSL where that's
> simply not considered.  For example, this snippet in the man-page
> 'X509_LOOKUP_file' is quite clear:
>
>    Functions X509_load_cert_file and X509_load_crl_file can load both PEM
>    and DER formats depending of type value. Because DER format cannot
>    contain more than one certificate or CRL object (while PEM can contain
>    several concatenated PEM objects) X509_load_cert_crl_file with
>    FILETYPE_ASN1 is equivalent to X509_load_cert_file.
>
> The functions described there are also used by functions like
> X509_LOOKUP_load_file().
>
> Note that this may change going forward, as OSSL_STORE is gradually
> entering the scene, and does provide a bit better flexibility in this
> regard.
> (We have recently added an X509_LOOKUP variant that uses OSSL_STORE
> for its object retrieval, see the section 'OSSL_STORE Method' in
> doc/man3/X509_LOOKUP_hash_dir.pod in recent OpenSSL source, such as
> the alpha releases)
>
> Cheers,
> Richard
>
> On Fri, 22 May 2020 00:53:39 +0200,
> paul h. roubekas wrote:
> > I am a complete newbie to this list.
> >
> > I wanted to search the archive but found no such page.
> >
> > I have a requirement to convert all certs in a *.p12 file to a *.der
> file for use in the curl
> > command.
> >
> > The first hop to a *.pem file has all the certs.
> >
> > But the second hop only has one cert.  The I read the docs but found
> nothing that looked even
> > close.
> >
> > Hop 1
> >
> > openssl pkcs12 -chain -in trust.p12 -out ww_temp.pem  -password
> {redacted}
> >
> > Hop 2
> >
> > openssl x509 -outform der -in ww_temp.pem -out ww_temp.der
> >
> > The Question) How do I get all the certs in the .der file?
> >
> >
> --
> Richard Levitte         levitte at openssl.org
> OpenSSL Project         http://www.openssl.org/~levitte/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20200522/d4f7626a/attachment.html>