Probably I was not clear in my question. When I have several certificates like server cert + key, intermediate and root and want all them to bundle in a single file say, PKCS#12.
Is there a specific sequence to bundle them? For example: first option = key + server cert + intermediate + root second option = root + intermediate + server cert + key third option = server cert + key + intermediate + root ... Please throw some light here. Thanks. On Thu, Oct 21, 2010 at 11:11 PM, Suresh <suresh.chi...@gmail.com> wrote: > Thank you for a detailed reply Dave. > > > There is a standard ASN.1 structure, PKCS#7 aka Cryptographic > > Message Syntax or CMS, which can carry multiple certs and/or CRLs > > in DER (or PEM-ified single DER, as opposed to PEM concatenation) > > and is fairly commonly used for that purpose. > > This makes me understand PKCS#7 or PKCS#12 can take several > certificates and key in PEM format into a single file. When packaging > server, intermediate and key into a single file is there a sequence to > do that ? > > Also, please correct me if my understanding is correct. > > Thanks. > > On Tue, Oct 19, 2010 at 8:40 PM, Dave Thompson <dthomp...@prinpay.com> > wrote: > > > > > From: owner-openssl-us...@openssl.org On Behalf Of liv2luv > > > Sent: Tuesday, 19 October, 2010 11:26 > > > > > I am new to SSL and Certificates. > > > > > > I have generated a CSR and certificate for signing. In return > > > I've got three > > > certificates. > > > > > > a. Root CA's certificate > > > b. Intermediate Certificate > > > c. Server certificate > > > > > > After some searching, understand I need to combine them in > > > the sequence as > > > server, intermediate and root certificate. > > > > > Probably not. For an OpenSSL server, you do need entity + > > intermediate as below, unless the/each client has the > > intermediate as trusted (which is sometimes possible). > > > > It rarely makes sense to transmit a root in protocol, > > since the peer must have it already to trust it. > > > > > After that I converted the PEM format to DER to see the > > > certificate. It is > > > only showing the top certificate (server certificate) in this case. > > > > > OpenSSL x509 can look at a certificate file in either DER or PEM > > with exactly the same capabilities. If you mean you had multiple > > certs (e.g. the chain) in one file in PEM format and did > > openssl x509 -inform pem -outform der > > that only converts the first cert found, just like > > openssl x509 -inform pem -text -noout > > only displays the first cert. To process with the commandline > > utility like this you must put each cert in a separate file. > > As to recombining later, see below. > > > > > > > How can the certificate chain be created in a single file? > > > > > There is no standard format for just putting multiple certs, > > or anything else, in DER format into a file. > > > > In a few places OpenSSL accepts multiple certs in PEM format > > in a file. SSL_CTX_load_verify_locations (CAfile), used by > > -CAfile in several utilities, takes certs (and CRLs if used) > > in PEM format in one file. SSL_CTX_use_certificate_chain_file > > takes entity cert plus chain (excluding root, which as above is > > not needed) in PEM format, and thus should be what you need. > > > > This concatenated PEM format is not a standard as far as I know, > > although I believe some others have adopted OpenSSL's method. > > Remember that PEM format (here) is actually just DER encoded > > in base64 plus labels; the "real" data is actually the same. > > > > There is a standard ASN.1 structure, PKCS#7 aka Cryptographic > > Message Syntax or CMS, which can carry multiple certs and/or CRLs > > in DER (or PEM-ified single DER, as opposed to PEM concatenation) > > and is fairly commonly used for that purpose. The SSL routines > > in OpenSSL do not use PKCS#7 directly, although code you write > > using lower-level libcrypto can, and the commandline utility > > pkcs7 can display them from which you can capture them into > > one or more files in PEM format and manipulate further. > > > > > > > > ______________________________________________________________________ > > OpenSSL Project http://www.openssl.org > > User Support Mailing List openssl-users@openssl.org > > Automated List Manager majord...@openssl.org > > > > -- > Suresh > -- Suresh
