50

I have p7b file provided by Thwate.When I am trying to export the certificate in the cer file using the below command, the certificate chain is not included.
Please suggest how to do the same. This CER is required for the importing into the weblogic key store.

openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer
tshepang
  • 12,111
  • 21
  • 91
  • 136
Kunal Jha
  • 2,102
  • 4
  • 24
  • 34

6 Answers6

76

-print_certs is the option you want to use to list all of the certificates in the p7b file, you may need to specify the format of the p7b file you are reading.

You can then redirect the output to a new file to build the concatenated list of certificates.

Open the file in a text editor, you will either see Base64 (PEM) or binary data (DER).

openssl pkcs7 -inform DER -outform PEM -in certificate.p7b -print_certs > certificate_bundle.cer

http://www.openssl.org/docs/apps/pkcs7.html

bcarroll
  • 1,727
  • 16
  • 14
  • 2
    Just to clarify how to tell the format of the p7b file, when you open the file in a text editor, if you see "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" strings embedded within the gibberish, it is likely Base64 (PEM) format. Otherwise, if it's 100% gibberish, it's likely in binary (DER) format. I got this information from this link: https://knowledge.digicert.com/solution/SO26449.html – Van Vangor Jan 17 '19 at 00:55
  • I had to use openssl pkcs7 -outform PEM -in user.anaplanfrsysdev.p7b -print_certs to extract 2 certs from the .p7b file. – user674669 Aug 13 '19 at 18:41
  • 1
    openssl pkcs7 -inform DER -outform PEM -in certificate.p7b -print_certs -out certificat_bundle.cer shoudl also work. It uses the option of openssl itself. – Zailux Nov 23 '20 at 13:29
12

The selected answer didn't work for me, but it's close. I found a tutorial that worked for me and the certificate I obtained from StartCom.

  1. Open the .p7b in a text editor.

  2. Change the leader and trailer so the file looks similar to this:

    -----BEGIN PKCS7-----
[... certificate content here ...]
-----END PKCS7-----

For example, my StartCom certificate began with: 

    -----BEGIN CERTIFICATE-----

and ended with: 

    -----END CERTIFICATE-----
  1. Save and close the .p7b.

  2. Run the following OpenSSL command (works on Ubuntu 14.04.4, as of this writing):

    openssl pkcs7 -print_certs –in pkcs7.p7b -out pem.cer

The output is a .cer with the certificate chain.

Reference: http://www.freetutorialssubmit.com/extract-certificates-from-P7B/2206

fundatillus
  • 131
  • 1
  • 5
5

The only problem is that any additional certificates in resulted file will not be recognized, as tools don't expect more than one certificate per PEM/DER encoded file. Even openssl itself. Try

openssl x509 -outform DER -in certificate.cer | openssl x509 -inform DER -outform PEM

and see for yourself.

GabLeRoux
  • 16,715
  • 16
  • 63
  • 81
AnrDaemon
  • 302
  • 2
  • 9
  • 1
    A concatenated list of intermediate certificates is useful for Apache httpd webservers that perform X.509 client authentication using the SSLCACertificateFile configuration parameter. From the apache httpd-ssl.conf file: Set the CA certificate verification path where to find CA certificates for client authentication or alternatively one huge file containing all of them (file must be PEM encoded) – bcarroll Mar 02 '15 at 23:53
1

I had similar problem extracting certificates from a file. This might not be the most best way to do it but it worked for me.

openssl pkcs7 -inform DER -print_certs -in <path of the file> | awk 'split_after==1{n++;split_after=0} /-----END CERTIFICATE-----/ {split_after=1} {print > "cert" n ".pem"}'
CRABOLO
  • 8,605
  • 39
  • 41
  • 68
Magnus
  • 73
  • 8
1

If you add -chain to your command line, it will export any chained certificates.

http://www.openssl.org/docs/apps/pkcs12.html

Master G
  • 27
  • 1
0

A version of @Magnus answer that saves each certificate to separate file, but also strips headers

openssl pkcs7 -inform DER -in root.p7b -print_certs | awk '/^-+BEG/{n++;s=1}s{print>"root_"n".crt"}/^-+END/{s=0}'
Alek
  • 634
  • 7
  • 7