Unix & Linux: How to export CA certificate chain from PFX in PEM format without bag attributes?
Unix & Linux: How to export CA certificate chain from PFX in PEM format without bag attributes? The Question: I have a PKCS12 file containing the full certificate chain and private key. I need to break it up into 3 files for an application. The 3 files I need are as follows (in PEM format): * an unecrypted key file * a client certificate file * a CA certificate file (root and all intermediate) This is a common task I have to perform, so I'm looking for a way to do this without any manual editing of the output. I tried the following: openssl pkcs12 -in <filename.pfx> -nocerts -nodes -out <clientcert.key> openssl pkcs12 -in <filename.pfx> -clcerts -nokeys -out <clientcert.cer> openssl pkcs12 -in <filename.pfx> -cacerts -nokeys -chain -out <cacerts.cer> This works fine, however, the output contains bag attributes, which the application doesn't know how to handle. After some searching I found a suggested solution of passing the results through x509 to strip the bag attributes. openssl x509 -in <clientcert.cer> -out <clientcert.cer> This works, but I run into an issue on the cacert file. The output file only contains one of the 3 certs in the chain. Is there a way to avoid including the bag attributes in the output of the pkcs12 command, or a way to have the x509 command output include all the certificates? Additionally, if running it through x509 is the simplest solution, is there a way to pipe the output from pkcs12 into x509 instead of writing out the file twice? Solutions: Please watch the whole video to see all solutions, in order of how many people found them helpful With thanks & praise to God, and with thanks to the many people who have made this project possible! | Content (except music & images) licensed under cc by-sa 3.0 | Music: https://www.bensound.com/royalty-free-music | Images: https://stocksnap.io/license & others | With thanks to user BryKKan (https://unix.stackexchange.com/users/160045), and the Stack Exchange Network (http://unix.stackexchange.com/questions/367220). Trademarks are property of their respective owners. Disclaimer: All information is provided "AS IS" without warranty of any kind. You are responsible for your own actions. Please contact me if anything is amiss at Roel D.OT VandePaar A.T gmail.com.
Unix & Linux: How to export CA certificate chain from PFX in PEM format without bag attributes? The Question: I have a PKCS12 file containing the full certificate chain and private key. I need to break it up into 3 files for an application. The 3 files I need are as follows (in PEM format): * an unecrypted key file * a client certificate file * a CA certificate file (root and all intermediate) This is a common task I have to perform, so I'm looking for a way to do this without any manual editing of the output. I tried the following: openssl pkcs12 -in <filename.pfx> -nocerts -nodes -out <clientcert.key> openssl pkcs12 -in <filename.pfx> -clcerts -nokeys -out <clientcert.cer> openssl pkcs12 -in <filename.pfx> -cacerts -nokeys -chain -out <cacerts.cer> This works fine, however, the output contains bag attributes, which the application doesn't know how to handle. After some searching I found a suggested solution of passing the results through x509 to strip the bag attributes. openssl x509 -in <clientcert.cer> -out <clientcert.cer> This works, but I run into an issue on the cacert file. The output file only contains one of the 3 certs in the chain. Is there a way to avoid including the bag attributes in the output of the pkcs12 command, or a way to have the x509 command output include all the certificates? Additionally, if running it through x509 is the simplest solution, is there a way to pipe the output from pkcs12 into x509 instead of writing out the file twice? Solutions: Please watch the whole video to see all solutions, in order of how many people found them helpful With thanks & praise to God, and with thanks to the many people who have made this project possible! | Content (except music & images) licensed under cc by-sa 3.0 | Music: https://www.bensound.com/royalty-free-music | Images: https://stocksnap.io/license & others | With thanks to user BryKKan (https://unix.stackexchange.com/users/160045), and the Stack Exchange Network (http://unix.stackexchange.com/questions/367220). Trademarks are property of their respective owners. Disclaimer: All information is provided "AS IS" without warranty of any kind. You are responsible for your own actions. Please contact me if anything is amiss at Roel D.OT VandePaar A.T gmail.com.