Convert X509Certificate to PEM or ASN.1/DER

Question

I have a chain of certificates (X509Certificate []), but I have only one certificate in the chain. I need to get the complete chain.

I have tried the openssl command, but that is not useful here. Can someone please tell me how to:

1. Convert this X509Certificate to PEM or ASN.1/DER that I can save in my file storage?

2. Get the complete chain using this certificate?

Edit: So, code-wise what I'm trying to achieve is something like:

protected static String convertToPem(X509Certificate cert)  {
         Base64 encoder = new Base64(64);
         String cert_begin = "-----BEGIN CERTIFICATE-----\n";
         String end_cert = "-----END CERTIFICATE-----";

         byte[] derCert = cert.getEncoded();
         String pemCertPre = new    String(Base64.encodeBase64(derCert));
         String pemCert = cert_begin + pemCertPre + end_cert;
         return pemCert;
}

But, this is not working. Basically, I'm looking for a method that takes a X509Certificate object and then converts it to a .pem etc, that is saved on the device.

Answer 1

Convert this X509Certificate object to .cer/ .per/ .der that I can save in my file storage?

See, for example, the answer at OpenSSL's rsautl cannot load public key created with PEM_write_RSAPublicKey. It tells you how to convert keys to/from PEM and ASN.1/DER format, and includes a treatment of Traditional Format (a.k.a. SubjectPublicKeyInfo).

If you are not doing it programmatically, then you should search for the answer. There are plenty of off-topic question on how to use the openssl command to convert between ASN.1/DER and PEM. Or ask on Super User, where they specialize in commands and their use.

Get the complete chain using this certificate?

This is a well known problem in PKI called the Which Directory problem. The solution is to have the server or service provide the missing intermediate CA certificates. If you can't validate a web server or service's identity because you are missing intermediate CA certificates, then the server is misconfigured.

Once you have the intermediate CA certificates, you still have to root trust somewhere. You can use the self-signed CA, or one of the intermediates signed by the self-signed CA.

This answer is helpful in troubleshooting a misconfugred server using OpenSSL's s_client: SSL site and browser warning.

---

Related: if there was a global directory of certificates like the ITU envisioned in X.500, then you would not have the second problem. A relying party or user agent would just fetch the certificate it needed from the directory.

But we lack a central directory, so relying parties and user agents often use the CA Zoo (a.k.a., the local Trust Store or cacerts.pem). This has its own set of problems, like the wrong CA certifying a site or service.

One of the off-shoots is the CA Cartel, where browser are in partnership with the CAs at the CA/Browser Forum. Browser have requirements for inclusion, but they often can't punish a misbehaving CA like Trustwave.

And the browsers have managed to box themselves into a position where the Internet of Things (IoT) will not work because of the browser's reliance/requirements on server certificates signed by a CA.