RE: application/x-x509-ca-ra-cert (SCEP Enrollment)

Wed, 20 Feb 2013 16:34:03 -0800 

I get this error when I try to convert it to PEM format. 


[~]$ openssl pkcs7 -in ca_ra_cert.bin -print_certs
unable to load PKCS7 object
140065214732104:error:0906D06C:PEM routines:PEM_read_bio:no start 
line:pem_lib.c:698:Expecting: PKCS7

[~]$ openssl asn1parse -in ca_ra_cert.bin -inform der -strparse 0 -out test | 
less
   0:d=0  hl=4 l=3936 cons: SEQUENCE
    4:d=1  hl=2 l=   9 prim: OBJECT            :pkcs7-signedData
   15:d=1  hl=4 l=3921 cons: cont [ 0 ]
   19:d=2  hl=4 l=3917 cons: SEQUENCE
   23:d=3  hl=2 l=   1 prim: INTEGER           :01
   26:d=3  hl=2 l=   0 cons: SET
   28:d=3  hl=2 l=  11 cons: SEQUENCE
   30:d=4  hl=2 l=   9 prim: OBJECT            :pkcs7-data
   41:d=3  hl=4 l=3893 cons: cont [ 0 ]
   45:d=4  hl=4 l=1474 cons: SEQUENCE
   49:d=5  hl=4 l=1194 cons: SEQUENCE
   53:d=6  hl=2 l=   3 cons: cont [ 0 ]
   55:d=7  hl=2 l=   1 prim: INTEGER           :02
   58:d=6  hl=2 l=  10 prim: INTEGER           :610962F600000000002A
   70:d=6  hl=2 l=  13 cons: SEQUENCE
   72:d=7  hl=2 l=   9 prim: OBJECT            :sha1WithRSAEncryption
   83:d=7  hl=2 l=   0 prim: NULL
   85:d=6  hl=2 l=  79 cons: SEQUENCE
   87:d=7  hl=2 l=  21 cons: SET
   89:d=8  hl=2 l=  19 cons: SEQUENCE
   91:d=9  hl=2 l=  10 prim: OBJECT            :domainComponent
  103:d=9  hl=2 l=   5 prim: IA5STRING         :local
  110:d=7  hl=2 l=  23 cons: SET
  112:d=8  hl=2 l=  21 cons: SEQUENCE
  114:d=9  hl=2 l=  10 prim: OBJECT            :domainComponent
  126:d=9  hl=2 l=   7 prim: IA5STRING         :southey
  135:d=7  hl=2 l=  29 cons: SET
  137:d=8  hl=2 l=  27 cons: SEQUENCE
  139:d=9  hl=2 l=   3 prim: OBJECT            :commonName
  144:d=9  hl=2 l=  20 prim: PRINTABLESTRING   :southey-DBN-DC-01-CA
  166:d=6  hl=2 l=  30 cons: SEQUENCE
  168:d=7  hl=2 l=  13 prim: UTCTIME           :130103123245Z
  183:d=7  hl=2 l=  13 prim: UTCTIME           :150103123245Z
  198:d=6  hl=3 l= 163 cons: SEQUENCE
  201:d=7  hl=2 l=  11 cons: SET
  203:d=8  hl=2 l=   9 cons: SEQUENCE
  205:d=9  hl=2 l=   3 prim: OBJECT            :countryName
  210:d=9  hl=2 l=   2 prim: PRINTABLESTRING   :ZA
  214:d=7  hl=2 l=  21 cons: SET
  216:d=8  hl=2 l=  19 cons: SEQUENCE
  218:d=9  hl=2 l=   3 prim: OBJECT            :stateOrProvinceName
  223:d=9  hl=2 l=  12 prim: PRINTABLESTRING   :KwazuluNatal
  237:d=7  hl=2 l=  15 cons: SET
  239:d=8  hl=2 l=  13 cons: SEQUENCE
  241:d=9  hl=2 l=   3 prim: OBJECT            :localityName
  246:d=9  hl=2 l=   6 prim: PRINTABLESTRING   :Durban
  254:d=7  hl=2 l=  25 cons: SET
  256:d=8  hl=2 l=  23 cons: SEQUENCE
  258:d=9  hl=2 l=   3 prim: OBJECT            :organizationName
  263:d=9  hl=2 l=  16 prim: PRINTABLESTRING   :Southey Holdings
  281:d=7  hl=2 l=  11 cons: SET
  283:d=8  hl=2 l=   9 cons: SEQUENCE
  285:d=9  hl=2 l=   3 prim: OBJECT            :organizationalUnitName
  290:d=9  hl=2 l=   2 prim: PRINTABLESTRING   :IT
  294:d=7  hl=2 l=  27 cons: SET
  296:d=8  hl=2 l=  25 cons: SEQUENCE
  298:d=9  hl=2 l=   3 prim: OBJECT            :commonName
  303:d=9  hl=2 l=  18 prim: PRINTABLESTRING   :DBN-DC-01-MSCEP-RA
  323:d=7  hl=2 l=  39 cons: SET
  325:d=8  hl=2 l=  37 cons: SEQUENCE

-----Original Message-----
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] 
On Behalf Of Dave Thompson
Sent: Wednesday, February 20, 2013 3:51 PM
To: openssl-users@openssl.org
Subject: RE: application/x-x509-ca-ra-cert (SCEP Enrollment)

> From: owner-openssl-us...@openssl.org On Behalf Of Matthew Hall
> Sent: Wednesday, 20 February, 2013 15:05

> Use the dumpasn1 utility on it, it's in almost every Linux distro, or 
> from its
> website:
> 
> http://www.cs.auckland.ac.nz/~pgut001/dumpasn1.c
> 
Or openssl asn1parse, likely available to anyone asking here even on non-Linux; 
with -inform der if applicable which it is here (easily determinable with any 
kind of octal or hex dump or a good guess for anything that doesn't look like 
base64).

> Matthew.
> 
> On Wed, Feb 20, 2013 at 07:54:00PM +0000, Santhosh Kokala wrote:
> > Hi All,
> > I am unable to identify the certificate format that I
> received during SCEP enrollment. I am attaching a copy of the cert 
> chain that I received. Can someone please let me know how to convert 
> the above attached certificate to PEM format?
> > Santhosh
> 
And to answer the question, it's a trivial PKCS#7, sometimes used to carry only 
(desired) certs and/or CRLs, and usually indicated by extension .p7b or .p7c. 
But it's not a chain; it's *two* end-entity certs, for different RSA keys, one 
for
(particular?) signing and one for (particular?) encryption; then one CA (root) 
cert whose *name* matches the issuer of the children but SKI (and actual key) 
doesn't match child AKI, and thus is not the correct CA cert for these children.

"openssl pkcs7 -in $file -print_certs" displays the three certs (each) in PEM, 
which you can cut apart with any reasonable editor. The two child certs may or 
may not be useful; the CA cert apparently won't.

Or less convenient you can use
  openssl asn1parse -in $file -inform der
  -strparse $offsetpercert -out $derfilepercert to get each cert in DER in a 
file, and then use
  openssl x509 -in $certder -inform der -out $certpem to convert each to PEM. 
With the same results.


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to