> From: owner-openssl-us...@openssl.org On Behalf Of Matthew Hall > Sent: Wednesday, 20 February, 2013 15:05
> Use the dumpasn1 utility on it, it's in almost every Linux > distro, or from its > website: > > http://www.cs.auckland.ac.nz/~pgut001/dumpasn1.c > Or openssl asn1parse, likely available to anyone asking here even on non-Linux; with -inform der if applicable which it is here (easily determinable with any kind of octal or hex dump or a good guess for anything that doesn't look like base64). > Matthew. > > On Wed, Feb 20, 2013 at 07:54:00PM +0000, Santhosh Kokala wrote: > > Hi All, > > I am unable to identify the certificate format that I > received during SCEP enrollment. I am attaching a copy of the > cert chain that I received. Can someone please let me know > how to convert the above attached certificate to PEM format? > > Santhosh > And to answer the question, it's a trivial PKCS#7, sometimes used to carry only (desired) certs and/or CRLs, and usually indicated by extension .p7b or .p7c. But it's not a chain; it's *two* end-entity certs, for different RSA keys, one for (particular?) signing and one for (particular?) encryption; then one CA (root) cert whose *name* matches the issuer of the children but SKI (and actual key) doesn't match child AKI, and thus is not the correct CA cert for these children. "openssl pkcs7 -in $file -print_certs" displays the three certs (each) in PEM, which you can cut apart with any reasonable editor. The two child certs may or may not be useful; the CA cert apparently won't. Or less convenient you can use openssl asn1parse -in $file -inform der -strparse $offsetpercert -out $derfilepercert to get each cert in DER in a file, and then use openssl x509 -in $certder -inform der -out $certpem to convert each to PEM. With the same results. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
