How to get all certs into a .der file.

Kyle Hamilton aerowolf at
Fri May 22 21:31:02 UTC 2020

Defined in RFC4366 (section 8) and RFC6066 (section 10.1)

PkiPath ::= SEQUENCE OF Certificate

Within the sequence, the order of certificates is such that the subject of
the first certificate is the issuer of the second certificate, etc.

(It's also defined in ITU-T Recommendation X.509(2000) Corrigendum 1(2001)
| ISI/IEC 9594-82001/Cor.1:2002, Technical Corrigendum 1 to ISO/IEC
9594:8:2001.  However, the assignment of the application/pkix-pkipath
identifier was done in RFC4366 anf RFC6066.)

-Kyle H

On Fri, May 22, 2020, 13:57 Viktor Dukhovni <openssl-users at>

> On Thu, May 21, 2020 at 06:53:39PM -0400, paul h. roubekas wrote:
> > I have a requirement to convert all certs in a *.p12 file to a *.der file
> > for use in the curl command.
> Perhaps I can crystalise some of the replies for you.  The basic issue
> is that **DER is not a file format**, rather:
>     * DER is binary encoding for a single data structure (object, a.k.a.
>       PDU or Protocol Data Unit), generally used only for objects with a
>       standardised ASN.1 schema.
> One can of course write a DER serialied data structure to a file,
> transmit it in network packet, ...
> But, what one can't do (in contrast with PEM) is just concatenate
> multiple DER objects together to get a meaningful multi-object store.
> For that, you need a standardised container structure that can be
> written in DER form, that *internally* holds multiple objects.
> Ideally, something less bletcherous than PKCS#12 (inflicted on humanity
> by some sadistic deity as punishment for ancestral sins).
> --
>     Viktor.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the openssl-users mailing list