Can I combine multiple certs into one without the private key? - McMap

About

Can I combine multiple certs into one without the private key?

Asked 16/3, 2016 at 17:51 Answered 16/3, 2016 at 18:21

Solved openssl chain

A

1

5

I need to have up to date cert trust stores in many devices, so I would like to be able to combine them into on cert that I can then just push that one file. I only want to bundle the public keys of the many CA's but I do not want to add the private file because I want a cert that I push to all of my devices. I was thinking that this feature was called a chain but openssl will not take the command without a private file. Can this be done? I have tried several different things and I have looked at many threads here but I don't know what I am doing.

Edit

The command that I was trying to use was:

openssl -export -pkcs12 -out output.pem -cafile intermediate.pem

Edit

I tried "openssl crl2pkcs7 -certfile bundle.pem -out p7.pem" but it produced an error:

openssl crl2pkcs7 -certfile bundle.pem -out p7.pem
unable to load CRL
9460:error:0906D06C:PEM routines:PEM_read_bio:no start line:.\crypto\pem\pem_lib.c:701:Expecting: X509 CRL

I also tried:

openssl pkcs7 -in bundle.pem -out p7.pem
unable to load PKCS7 object
3676:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:.\crypto\asn1\tasn_dec.c:1201:
3676:error:0D06C03A:asn1 encoding routines:ASN1_D2I_EX_PRIMITIVE:nested asn1 error:.\crypto\asn1\tasn_dec.c:765:
3676:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:.\crypto\asn1\tasn_dec.c:697:Field=type, Type=PKCS7
3676:error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1 lib:.\crypto\pem\pem_oth.c:83:

Adermin answered 16/3, 2016 at 17:51 Comment(0)

F

16

If you already have the certificates, you could simply concatenate them:

cat cert1.pem cert2.pem > bundle.pem

However, it really depends on the format which each trust store expects. So for instance, the Public Key Cryptography Standards describes several standards which could be used to distribute certificates, keys etc. One of them is PKCS#7, which is often used to bundle a set of certificates without the private key. You need to probably look at how each device implements the trust store because they may all expect different formats.

Farmelo answered 16/3, 2016 at 18:21 Comment(6)

I tried to do a concatenate but it failed to load all of them. I tried to import just a few and it would only take certs that were signed by the next level. What I mean is we have many CA's that are signed by one of two Roots. So if 10, 11, 12 and 13 are signed by 1. 20, 21, 22, and 23 are signed by 2. Then tried to put in 10,11,12,and then 1. It would only take 10 and 1. Those are not my numbers but I thought that this would make the discussion easier. – Adermin 16/3, 2016 at 21:23

I would like to have all numbers in the same file. – Adermin 16/3, 2016 at 21:39

You mentioned openssl will not take the command. Can you list the command which you tried? That would give some idea of what you are trying to achieve. – Farmelo 16/3, 2016 at 22:54

Will openssl create one of these pkcs7 containers? and what is the command to do so? can you provide an example? – Adermin 17/3, 2016 at 16:52

openssl crl2pkcs7 -certfile bundle.pem -out p7.pem – Farmelo 17/3, 2016 at 17:3

Sorry, that should have been openssl crl2pkcs7 -nocrl -certfile bundle.pem -out p7.pem – Farmelo 17/3, 2016 at 18:33

Recommended topics

#Godot #Unity #Godot 4.X #Mongodb

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

© 2022 - 2024 — McMap. All rights reserved.