Search code examples
sslopensslssl-certificatex509pem

Converting a SSL Cert to a .pem format

Hi I am a little new to all this openSSL and PEM stuf, so I thought I would ask you people here. I have a certificate in text(X509) format like this for example

Certificate:

Data:

    Version: 3 (0x2)

    Serial Number:

        1f:19:f6:de:35:dd:63:a1:42:91:8a:d5:2c:c0:ab:12

    Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption

    Issuer: "CN=Thawte SGC CA,O=Thawte Consulting (Pty) Ltd.,C=ZA"

    Validity:

        Not Before: Fri Dec 18 00:00:00 2009

        Not After : Sun Dec 18 23:59:59 2011

    Subject: "CN=mail.google.com,O=Google Inc,L=Mountain View,ST=Californ

        ia,C=US"
    ............................................
    ............................................

How do I convert this into a .pem file for openssl to understand, so that I can verify certificates? Any ideas/help/suggestions would be greatly appreciated. Thanks a lot in advance to all.

Regards Hari

Solution

  • If all you have is the certificate in text form (hopefully with the details of the public key modulus and exponent, and signature), you're going to have to rebuild the ASN.1 structure and its DER format (the PEM representation is the base-64 encoding of the DER form).

    You'll also have to rebuild the exact list of extensions in the certificate. Most text forms I know (for example, the output of openssl x509 -text or the browser's display tool) will convert the OIDs and values of the extensions into a more human-readable format, based on the specifications describing these extensions, if known to the developers of these tools.

    Doing it in the reverse order systematically more or less implies reading a large number of specifications describing the potential extensions and working out what the human-readable text coming out of these tools was representing. The PKIX RFC is one of these specifications, and it's not going to be an easy thing to read, especially if you're beginning in the field.

    On top of this, you might not be able to form the ASN.1 structure in the exact same order as it was in the actual certificate. You need to be able to reconstruct the exact binary structure if you want to be able to verify the signature of the certificate.

    In the general case, I'd say doing this successfully is unlikely.

    EDIT: Considering what you said, you seem to be using LibNSS's certutil:

    Try:

    certutil -L -r -n "the-cert-nickname" -d . | openssl x509 -inform DER -outform PEM