6

I have a cetificate chain in .pem format from Letsencrypt, called fullchain.pem

It has 2 certificates in the chain:

keytool -printcert -v -file fullchain.pem |grep "Certificate fingerprints" |wc -l
2

When I convert it to .der using

openssl x509 -in fullchain.pem -out cert.der -outform DER

it only exports the last one

keytool -printcert -v -file cert.der |grep "Certificate fingerprints" |wc -l
1

is this a bug in openssl? Am I missing a param?

ArticIceJuice
  • 83
  • 1
  • 1
  • 4
  • 1
    openssl x509 processes only the first cert in the input file and ignores any additional ones. You need to split 'fullchain' up and process each cert separately. See https://serverfault.com/questions/391396/how-to-split-a-pem-file and https://serverfault.com/questions/590870/how-to-view-all-ssl-certificates-in-a-bundle – dave_thompson_085 Aug 31 '17 at 19:33
  • Thanks, it clarified the issue. I wonder why openssl doesn't emit any warnings about this. – ArticIceJuice Sep 01 '17 at 05:13

1 Answers1

7

You cannot have DER encoded chains by concatenating them the way you can with PEM format.

A chain in a binary format would be in PKCS#7 format. To convert a PEM chain to PKCS#7, use:

openssl crl2pkcs7 -nocrl -certfile fullchain.pem -out fullchain.p7b

Then, to see the contents:

openssl pkcs7 -in fullchain.p7b -print_certs -noout

Add -text to see all the certificate details.

If the input PEM file also contained a private key a better format would be PKCS#12 as this format can be secured with a passphrase.

garethTheRed
  • 4,779