> From: owner-openssl-us...@openssl.org On Behalf Of rockinein > Sent: Friday, 25 May, 2012 08:58
> I need help with certificate chain (with intermediate CA). I > need to convert pem to der. > > There is a command: > > openssl x509 -in something.pem -out something.der -outform der > > Problem is that when I use this command and there are more > CAs in pem (more > begin/end certificate), it converts only 1st CA and cuts out others. > Yes, the x509 command processes only one cert and ignores anything else in PEM input (either comments, or other certs). (For example, you can put a PEM cert and a PEM privatekey together in one file. PEM_read_X509 or commandline x509 will read the cert and ignore the privatekey; PEM_read_PrivateKey or commandline rsa etc. will ignore the cert and read the key.) Using commandline, you have to break the input into separate files for each cert, process all, and use the results (below). On Unix, or on Windows with Unix tools added, this is easy with awk or perl, probably doable with some effort with shell and sed or maybe grep. On plain Windows I can't help you. On any OS you could write a program to feed files to commandline, but it's easy(er?) to eliminate commandline, see next. Writing your own program, you could just loop PEM_read[_bio]_X509 until EOF and i2d_X509_fp|bio (or to memory and fwrite) plus any additional structure you need. Note that just a sequence of DER certs is not itself valid DER, although it is sometimes used. If you need valid DER, you must define/determine what it is, for example a DER PKCS#7 *containing* the sequence of certs is one standard way of handling a chain. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
