6

I have a cetificate chain in .pem format from Letsencrypt, called fullchain.pem

It has 2 certificates in the chain:

keytool -printcert -v -file fullchain.pem |grep "Certificate fingerprints" |wc -l 2

When I convert it to .der using

openssl x509 -in fullchain.pem -out cert.der -outform DER

it only exports the last one

keytool -printcert -v -file cert.der |grep "Certificate fingerprints" |wc -l 1

is this a bug in openssl? Am I missing a param?

Improve this question
2

1 Answer 1

Reset to default
8

You cannot have DER encoded chains by concatenating them the way you can with PEM format.

A chain in a binary format would be in PKCS#7 format. To convert a PEM chain to PKCS#7, use:

openssl crl2pkcs7 -nocrl -certfile fullchain.pem -out fullchain.p7b

Then, to see the contents:

openssl pkcs7 -in fullchain.p7b -print_certs -noout

Add -text to see all the certificate details.

If the input PEM file also contained a private key a better format would be PKCS#12 as this format can be secured with a passphrase.

Improve this answer
3
  • Great! This also solves it. Commented Sep 1, 2017 at 5:21
  • 1
    Btw, they say it is actually possible to concatenate .der certificates to import them later, see this Java snippet gist.github.com/spicydog/84fa0e74d8524fba1fbb Commented Sep 1, 2017 at 5:43
  • @ArticIceJuice - I think you may well be correct :-) generateCertificates accepts a stream of DER encoded certs. As I can't find a standard that defines certificate chains, this may well be implementation specific. Commented Sep 1, 2017 at 10:04

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.