0

Is it possible to work with x509 certificates in a pkcs7 bundle file?

I need to sign all certificates in a bundle with extra x509 extensions. e.g. (if they were a single x509 crt file) openssl x509 -CA corp-ca.crt -CAkey corp-ca.key -randserial -sha256 -extensions sub_ca -extfile sub_ca.cfg -in sub-ca.crt -out with-extensions-ca.crt

the p7b file have dozens of certificates, but they are not chained. Just a bundle.

Improve this question
4
  • 2
    AFAIK the openssl x509 subcommand only supports PEM and DER formats and I think that means that you'll first need to extract the PKCS #7 bundle , do what needs to be done and recreate the bundle. Commented Jun 22, 2023 at 18:59
  • i'm not well versed on pkcs... but my bundle is in DER format, just bundled. i.e. -in file.p7b -inform DER Commented Jun 22, 2023 at 19:44
  • 1
    openssl x509 does not support p7b either input or output. Expanding on what @HBruijn says: openssl pkcs7 -in p7b -inform der -print_certs to extract the certs and a text tool like awk or perl to split them apart; process each; then concatenate and use the oxymoronic openssl crl2pkcs7 -nocrl -certfile x to convert back to p7b. Commented Jun 23, 2023 at 1:56
  • 1
    Correction: your not-really-correct answer reminded me you want p7b in DER, so make that openssl crl2pkcs7 -nocrl -certfile concatenated_pem_certs -outform der [-out p7bfile]. Commented Jun 26, 2023 at 4:58

1 Answer 1

Reset to default
0

Comments seem to agree there's no way. Best solution i've assembled from other sources is

# convert from DER to PEM, still pkcs7 openssl pkcs7 -inform DER -outform PEM -in FILE.der.p7b -print_certs > FILE.pem.p7b # create a tmp dir with all the individual certs mkdir tmp cd tmp; csplit -z -n 4 ../FILE.pem.p7b '/END CERTIFICATE/+2' {178} # replace 178 above with the number of certs you expect... or * for all, i believe # now loop trhu all the files and execute the command # and finally pack them back up # TODO:
Improve this answer
7
  • 1
    No the output of pkcs7 -print_certs is NOT 'still pkcs7'; it is instead a sequence of separate certificates, each in PEM (which you don't need to specify). I told you already how to convert such a sequence of certs back to pkcs7, except I forgot you want DER so add -outform der. Commented Jun 26, 2023 at 4:57
  • i see. i didn't see much difference from the actual p7b and the list i got :) just assumed the list was a p7b... i'm cleaning all this up and will update the answer after testing the whole code now Commented Jul 5, 2023 at 17:41
  • btw, i'm not set on any format. I just need to get a list that happens to be in p7b, and add a extension nameConstraints=critical,permitted;DNS... and then insert the trust chain into a browser. Commented Jul 5, 2023 at 17:43
  • p7b/c is a single ASN.1 object with structure PKCS7 SignedData that contains usually multiple certificates; in PEM it has one set of BEGIN/END lines, although in DER you don't see that. The PEM-sequence-of-certs is a sequence of one or more separate ASN.1 objects each with structure X.509/PKIX Certificate and separate BEGIN/END lines; it doesn't have a supported DER form. Commented Jul 6, 2023 at 6:26
  • @dave_thompson_085 thanks again. i'm having a hard time to understand this but getting there. too many rfcs and the tools don't work too well with this format. plus the terms are not helpful... what even is a "degenerate structure"? :) ...still trying to wrangle the pem format to hold my new constraint... trying to add it only to the crl if i got these last parts right. Commented Jul 7, 2023 at 15:03

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.