1

Hi I am a little new to all this openSSL and PEM stuf, so I thought I would ask you people here. I have a certificate in text(X509) format like this for example

Certificate:

Data:

    Version: 3 (0x2)

    Serial Number:

        1f:19:f6:de:35:dd:63:a1:42:91:8a:d5:2c:c0:ab:12

    Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption

    Issuer: "CN=Thawte SGC CA,O=Thawte Consulting (Pty) Ltd.,C=ZA"

    Validity:

        Not Before: Fri Dec 18 00:00:00 2009

        Not After : Sun Dec 18 23:59:59 2011

    Subject: "CN=mail.google.com,O=Google Inc,L=Mountain View,ST=Californ

        ia,C=US"
    ............................................
    ............................................

How do I convert this into a .pem file for openssl to understand, so that I can verify certificates? Any ideas/help/suggestions would be greatly appreciated. Thanks a lot in advance to all.

Regards Hari

Hari
  • 709
  • 2
  • 9
  • 13
  • 2
    Possible duplicate: [http://stackoverflow.com/questions/991758/openssl-pem-key](http://stackoverflow.com/questions/991758/openssl-pem-key) – Jürgen Thelen May 26 '11 at 20:02
  • 1
    It doesn't look like a duplicate of this question. It looks more like the certificate is provided in text form of some sort. – Bruno May 26 '11 at 20:18
  • Just to clarify , this is not a duplicate of the other question as in this case I dont have a CRT/DER file and the only information that I have is the certificate stored as a text file. Thanks for taking the effort to help. – Hari May 26 '11 at 20:22
  • You might find this blog interesting: http://opentox.ntua.gr/index.php/blog/77-ssl-certificates – Pantelis Sopasakis May 26 '11 at 20:53
  • @Hari, if you had said that you were using `certutil` initially, it would have been easier to provide you with a better answer sooner. – Bruno May 26 '11 at 21:02
  • @ Pantelis Sopasakis - Thanks that was indeed useful, although I am using a C library to do the same for me – Hari May 26 '11 at 21:05
  • @Bruno, @Hari: yes, having a 2nd look I realized it actually is not a duplicate. Sorry for that. – Jürgen Thelen May 27 '11 at 07:39

2 Answers2

6

If all you have is the certificate in text form (hopefully with the details of the public key modulus and exponent, and signature), you're going to have to rebuild the ASN.1 structure and its DER format (the PEM representation is the base-64 encoding of the DER form).

You'll also have to rebuild the exact list of extensions in the certificate. Most text forms I know (for example, the output of openssl x509 -text or the browser's display tool) will convert the OIDs and values of the extensions into a more human-readable format, based on the specifications describing these extensions, if known to the developers of these tools.

Doing it in the reverse order systematically more or less implies reading a large number of specifications describing the potential extensions and working out what the human-readable text coming out of these tools was representing. The PKIX RFC is one of these specifications, and it's not going to be an easy thing to read, especially if you're beginning in the field.

On top of this, you might not be able to form the ASN.1 structure in the exact same order as it was in the actual certificate. You need to be able to reconstruct the exact binary structure if you want to be able to verify the signature of the certificate.

In the general case, I'd say doing this successfully is unlikely.

EDIT: Considering what you said, you seem to be using LibNSS's certutil:

Try:

certutil -L -r -n "the-cert-nickname" -d . | openssl x509 -inform DER -outform PEM
Community
  • 1
  • 1
Bruno
  • 119,590
  • 31
  • 270
  • 376
  • Ahh...Thank you very much. That seemed to do the trick. However Verification seems to fail when I try it with the new pem. I guess that is a different question then. Do I need to create a seperate question or Do you think I can edit this one itself? Anyway thanks a lot – Hari May 26 '11 at 21:03
  • I'd say it's probably a different question. Try to say which tools you're trying to use. Both `certutil` and `openssl` should be capable of performing some form of verification. – Bruno May 26 '11 at 21:05
  • Maybe you can help me with this question http://stackoverflow.com/questions/19013529/converting-a-x-509-cert-to-a-pem-format Thanks – John Smith Sep 25 '13 at 19:27
3

I am not sure what you are presenting in your post.
This seems the visualization of an existing certificate.
Are you viewing it via windows? I.e. opening a .der or .cer file?
If this is the case if you go in the details tab, press copy to file and save it as pem.
If you need to save it that format that is.

Cratylus
  • 52,998
  • 69
  • 209
  • 339
  • Thanks for the reply. Unfortunately though I am not doing any f that. I am getting this from a text file which gets it from a remote cert8.db file (i think by doing something like certutil -L -n...) However I don't have any crt or der file and the only information that I have is this certificate in text format. Also to clarify I am not viewing it via windows, it is stored in a text file in a linux machine. Thanks yet again – Hari May 26 '11 at 20:21
  • What you are seeing is the certificate information as logged by the application.What you need is to extract the certificate from the cert8.db.Do you have access to it? – Cratylus May 26 '11 at 20:25
  • I do have access to the cert8.db. However I donot have the key3.db file (It seems to have been obscured by the application). So I am unable to do anything with it. Like I said I am very new to this and I am stuck and not being able to do this. – Hari May 26 '11 at 20:27
  • If you can not open the certificate storage, perhaps there is another way to get the actual certificate.Is the certificate deployed by the application? E.g. is this the certificate of a web site?If yes just log to the site via https and copy the certificate from the browser – Cratylus May 26 '11 at 20:32
  • Well I do have the cert8.db. But again I don't know how to get all the certs into a PEM format. Maybe you can help me with something on this? Thanks yet again – Hari May 26 '11 at 20:35
  • To add to that I want this to be generic, since my application needs to verify the certificate of any URL the user may type in. This makes manually going to the website and doing it impossible – Hari May 26 '11 at 20:37
  • @Hari, being able to verify the certificate of any server is a different question. You'd need to provide more details regarding what you can use for that application. OpenSSL's `s_client` should help you with that, though. – Bruno May 26 '11 at 20:54
  • @Bruno...Sure I will do that to provide a more detailed explanation of what I am trying to do and where I am struggling. Thanks a lot – Hari May 26 '11 at 21:04
  • @Bruno, I have posted my question in detail here. I would be glad if you can take a look at it and let me know [link] http://stackoverflow.com/questions/6156553/ssl-certificate-verification-programatically – Hari May 27 '11 at 18:57
  • -maybe you can help me with this question http://stackoverflow.com/questions/19013529/converting-a-x-509-cert-to-a-pem-format – John Smith Sep 25 '13 at 19:27