0

I have two certificates in base64 concatenated with bag attributes in a PEM file on Windows.

I'm trying to remove the bag attributes of the myChain-Bags.pem file from the CLI :

PS C:\temp> openssl version OpenSSL 3.0.13 30 Jan 2024 (Library: OpenSSL 3.0.13 30 Jan 2024) PS C:\temp> openssl pkcs7 -in myChain-Bags.pem unable to load PKCS7 object BCA10000:error:068000A8:asn1 encoding routines:asn1_check_tlen:wrong tag:crypto\asn1\tasn_dec.c:1188: BCA10000:error:0688010A:asn1 encoding routines:asn1_d2i_ex_primitive:nested asn1 error:crypto\asn1\tasn_dec.c:752: BCA10000:error:0688010A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error:crypto\asn1\tasn_dec.c:685:Field=type, Type=PKCS7 BCA10000:error:0488000D:PEM routines:PEM_ASN1_read_bio:ASN1 lib:crypto\pem\pem_oth.c:33: PS C:\temp>

How can I do that with the CLI ?

Improve this question
2
  • What exactly does the 'base64 concatenated' input look like? Are they really two PKCS#7 objects? (How were they produced?) The message generally occurs when the input doesn't have the expected structure, in this case likely isn't a PKCS#7 structure. Commented Aug 19 at 10:44
  • @grawity No, It's two X.509 PEM certificates concatanated together along with their bag attributes. Commented Aug 19 at 12:01

1 Answer 1

Reset to default
1

No, It's two X.509 PEM certificates concatanated together along with their bag attributes.

Then that's not a PKCS#7 object, it's still just two X.509 objects. Merely putting two certificates together doesn't make it PKCS#7 (it's a whole separate format), so when the openssl tool prints "wrong tag" it is correctly complaining that the structure it found inside of the PEM object is not what it expects for an PKCS#7 document to be.

But neither PEM nor X.509 even have the concept of "bag attributes" – that is a distinctly PKCS#12-specific thing. The objects likely had "bag attributes" when they were originally stored in a .pfx or .p12 file, but it sounds like they were then extracted into PEM format, and the openssl tool also extracted the PKCS#12 attributes as text.

But after the conversion, all of those attributes are no longer actual attributes – they are merely text which can be removed using something like awk. Everything outside the PEM BEGIN/END boundaries is "comment" text that is ignored when loading the PEM-formatted objects, so it is safe to remove manually.

awk '/-----BEGIN/ {ok=1} ok {print} /^-----END/ {ok=0}' < chain.pem

Probable PowerShell equivalent:

Get-Content -Raw foo.crt ` | Select-String '(?smi)^-----BEGIN CERTIFICATE-----\n.*?\n-----END CERTIFICATE-----' -AllMatches ` | Select-Object -ExpandProperty Matches ` | Select-Object -ExpandProperty Value
Improve this answer
4
  • I'm on Windows here. Commented Aug 19 at 13:24
  • In that case, use Notepad? I'm sure the awk equivalent can be done using PowerShell but I don't have an example handy. (No, as far as I know there is no 'openssl' subcommand for that; openssl x509 will discard the extra text but will also discard the 2nd certificate.) Commented Aug 20 at 4:57
  • I need to do this from the CLI. I'll test your powershell command as soon as I arrive at the office ( I don't have neither want micro$oft window$ at home :) ). Commented Aug 20 at 6:10
  • I wrote and tested this on Linux. Install WSL and run awk there if you like. Commented Aug 20 at 6:19

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.