Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How can I split a CA certificate bundle into separate files?

Tags:

linux

ssl

openssl

I'm working with OpenSSL and need a sane default list of CAs. I'm using Mozilla's list of trusted CAs, as bundled by cURL. However, I need to split this bundle of CA certs, because the OpenSSL documentation says:

If CApath is not NULL, it points to a directory containing CA certificates in PEM format. The files each contain one CA certificate. The files are looked up by the CA subject name hash value, which must hence be available.

For example, using the ca-bundle.crt file directly works fine:

openssl-1.0.1g> ./apps/openssl s_client -connect www.google.com:443 -CAfile /home/user/certs/ca-bundle.crt
...
    Verify return code: 0 (ok)
---
DONE

But specifying the directory containing the ca-bundle.crt file does not work:

openssl-1.0.1g> ./apps/openssl s_client -connect www.google.com:443 -CApath /opt/aspera/certs
    Verify return code: 20 (unable to get local issuer certificate)
---
DONE

I presume this is because my folder doesn't adhere to what the documentation asks for (namely, a directory containing CA certs in PEM format, with each file containing one cert, named by hash value). My directory just has the single bundle of certs.

How can I split my bundle of certs to adhere to OpenSSL's request that each cert be in an individual file? Bonus points if the hashing can be done too (though if needed I could write a script to do that myself if all the certs are in individual files).

like image 769
Cornstalks Avatar asked May 14 '14 02:05

Cornstalks


People also ask

What can you do with a CA bundle?

If there's a file with a . ca-bundle extension, all you have to do is upload it to your server in the relevant field. If you've received your root and intermediate certs as separate files, you should combine them into a single one to create the CA Bundle file.

How do I download CA bundle certificate?

You can contact the customer support team of your vendor or CA and request them to provide the CA bundle. If you have bought your SSL certificate from RapidSSLonline.com, you can easily access the CA bundle from here.


2 Answers

You can split the bundle with awk, like this, in an appropriate directory:

awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert." c ".pem"}' < ca-bundle.pem 

Then, create the links OpenSSL wants by running the c_rehash utility that comes with OpenSSL:

c_rehash .

Note: use 'gawk' on non linux-platforms - as above relies on a GNU specific feature.

like image 90
Mrten Avatar answered Sep 20 '22 14:09

Mrten


Just to give an alternative; facing the same issue I ended up with csplit:

csplit -k -f bar foo.pem '/END CERTIFICATE/+1' {10}
like image 22
hxme Avatar answered Sep 20 '22 14:09

hxme