Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

how to extract issuer certificate from other certificate

Tags:

openssl

I have a certificate in X.509 format. Using openssl I want to extract the issuer's certificate into a file, also in X.509 format (so that I can whitelist the issuer in my web service).

How do I do this? The following command did not work, it only printed the issuer information in text form.

openssl x509 -in cert.x509 -issuer -out issuer.x509

like image 223
wberry Avatar asked Nov 20 '13 16:11

wberry


People also ask

How do I get an issuer certificate?

The steps to view the certificate information depend on the browser. For instance, in Google Chrome, click on the lock icon in the address bar, switch to the the Connection tab and click on Certificate Information . Search for the issuer organization name.

How do I get root and intermediate certificates from CER?

In Windows: For the Root certificate and any intermediate certificates, highlight each (one at a time) and click View Certificate . From this window click View Details > Copy to File > use Base-64 encoded X. 509 (. cer) format and save each.

How do I get a certificate chain from CRT?

Get Your Certificate Chain If you have missing chain certificates or don't know what they are, you can use the certificate chain composer tool above to fetch them. Simply paste in the contents of your . crt file and it will return your complete certificate including the intermediate certificates.


2 Answers

  1. openssl x509 -in cert.x509 -text Find the URL of the signing certificate.
  2. curl (url) >signer.der Download the signing certificate to a file (DER format in my case).
  3. openssl x509 -inform der -in signer.der -out signer.pem Convert signing certificate to PEM (X.509) format.
  4. openssl x509 -in signer.pem -text Confirm your results. Repeat procedure as necessary all the way up the certificate chain.
like image 97
wberry Avatar answered Sep 24 '22 18:09

wberry


The acceptable answer is correct, but I can elaborate further.

Certificates typically have an AIA field that provide a URL where the Issuer certificate can be downloaded and by the standards that CAs must follow, they are also typically in DER format.

For the 1. above where you "Find the URL fo the signing certificate", you could run issuer_url=$(openssl x509 -noout -text -in $filename | grep "Authority Information Access" -A 3 | grep "CA Issuers" | head -1 | tr spaces | sed 's/CA Issuers - URI://g' | sed 's/ //g')

This command basically runs openssl on a certificate and snips out the CA Issuer - URI: link in the certificate (assuming there is one) and placed is into the issuer_url variable. You can replace $filename with the /path/to/your/pem/certificate. If your certificate is in DER format, you'll need to include -inform DER in the first openssl command.

Once you've done that, you can use wget to fetch it: wget $issuer_url -O outputfile.crt

This will fetch the issuer file. This file is typically in DER format, so from her you can serve the file or convert it to PEM:

openssl x509 -inform DER -in outputfile.crt -out pem_outputfile.crt

like image 22
Eddi Avatar answered Sep 22 '22 18:09

Eddi