Converting a SSL Cert to a .pem format

1
votes

Hi I am a little new to all this openSSL and PEM stuf, so I thought I would ask you people here. I have a certificate in text(X509) format like this for example

Certificate:

Data:

    Version: 3 (0x2)

    Serial Number:

        1f:19:f6:de:35:dd:63:a1:42:91:8a:d5:2c:c0:ab:12

    Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption

    Issuer: "CN=Thawte SGC CA,O=Thawte Consulting (Pty) Ltd.,C=ZA"

    Validity:

        Not Before: Fri Dec 18 00:00:00 2009

        Not After : Sun Dec 18 23:59:59 2011

    Subject: "CN=mail.google.com,O=Google Inc,L=Mountain View,ST=Californ

        ia,C=US"
    ............................................
    ............................................

How do I convert this into a .pem file for openssl to understand, so that I can verify certificates? Any ideas/help/suggestions would be greatly appreciated. Thanks a lot in advance to all.

Regards Hari

2
sslopensslssl-certificatex509pem
Possible duplicate: https://stackguides.com/questions/991758/openssl-pem-keyJürgen Thelen
It doesn't look like a duplicate of this question. It looks more like the certificate is provided in text form of some sort.Bruno
Just to clarify , this is not a duplicate of the other question as in this case I dont have a CRT/DER file and the only information that I have is the certificate stored as a text file. Thanks for taking the effort to help.Hari
You might find this blog interesting: opentox.ntua.gr/index.php/blog/77-ssl-certificatesPantelis Sopasakis
@Hari, if you had said that you were using certutil initially, it would have been easier to provide you with a better answer sooner.Bruno

2 Answers

6
votes

If all you have is the certificate in text form (hopefully with the details of the public key modulus and exponent, and signature), you're going to have to rebuild the ASN.1 structure and its DER format (the PEM representation is the base-64 encoding of the DER form).

You'll also have to rebuild the exact list of extensions in the certificate. Most text forms I know (for example, the output of openssl x509 -text or the browser's display tool) will convert the OIDs and values of the extensions into a more human-readable format, based on the specifications describing these extensions, if known to the developers of these tools.

Doing it in the reverse order systematically more or less implies reading a large number of specifications describing the potential extensions and working out what the human-readable text coming out of these tools was representing. The PKIX RFC is one of these specifications, and it's not going to be an easy thing to read, especially if you're beginning in the field.

On top of this, you might not be able to form the ASN.1 structure in the exact same order as it was in the actual certificate. You need to be able to reconstruct the exact binary structure if you want to be able to verify the signature of the certificate.

In the general case, I'd say doing this successfully is unlikely.

EDIT: Considering what you said, you seem to be using LibNSS's certutil:

Try:

certutil -L -r -n "the-cert-nickname" -d . | openssl x509 -inform DER -outform PEM
3
votes

I am not sure what you are presenting in your post.
This seems the visualization of an existing certificate.
Are you viewing it via windows? I.e. opening a .der or .cer file?
If this is the case if you go in the details tab, press copy to file and save it as pem.
If you need to save it that format that is.