PKI Certificate Tutorials - Herong's Tutorial Examples - v1.12, by Herong Yang
"openssl crl2pkcs7 -nocrl" - PKCS7 Certificate Chain
This section provides a tutorial example on how to create a PKCS7 file with a certificate chain using the 'openssl crl2pkcs7 -nocrl' command.
If you want to create a PKCS7 file with a certificate chain, you can use the "openssl crl2pkcs7 -nocrl" command as shown in this tutorial.
1. Check my certificate, intermediate CA certificate and root CA certificate generated from the "openssl ca" - CA (Certificate Authority) Tool chapter.
herong$ ls -l 1889 Nov 24 09:19 hy-cert-2.pem # my certificate 2162 Nov 24 09:17 intermediate-cert.pem # intermediate CA 749 Nov 24 08:07 root-cert.pem # the root CA certificate
2. Concatenate all 3 certificates (in the signed-by order) into a PEM bundle
herong$ cat hy-cert-2.pem intermediate-cert.pem root-cert.pem \ > chain-cert.pem
3. Create a PKCS7 file from the PEM certificate chain.
herong$ openssl crl2pkcs7 -nocrl -certfile chain-cert.pem \ -out chain-cert.p7b
4. Look at the PKCS7 file. It is written in PEM format and marked as "PKCS7".
herong$ more chain-cert.p7b -----BEGIN PKCS7----- MIIFQAYJKoZIhvcNAQcCoIIFMTCCBS0CAQExADALBgkqhkiG9w0BBwGgggUTMIIB bzCB+AICEAMwCQYHKoZIzj0EATAqMQswCQYDVQQGEwJaWjEbMBkGA1UEAxMSWlog ... oQAxAA== -----END PKCS7-----
3. Print out certificate information from the PKCS7 file.
herong$ openssl pkcs7 -in chain-cert.p7b -noout -print_certs subject=/C=ZZ/CN=Herong Yang issuer=/C=ZZ/CN=ZZ Intermediate CA subject=/C=ZZ/CN=ZZ Intermediate CA issuer=/C=ZZ/CN=ZZ Root CA subject=/C=ZZ/CN=ZZ Root CA issuer=/C=ZZ/CN=ZZ Root CA
4. Extract certificates out of the PKCS7 file.
herong$ openssl pkcs7 -in chain-cert.p7b -print_certs -outform PEM subject=/C=ZZ/CN=Herong Yang issuer=/C=ZZ/CN=ZZ Intermediate CA -----BEGIN CERTIFICATE----- MIIBbzCB+AICEAMwCQYHKoZIzj0EATAqMQswCQYDVQQGEwJaWjEbMBkGA1UEAxMS WlogSW50ZXJtZWRpYXRlIENBMB4XDTI0MTEyNDE0MTkxMFoXDTI1MTEyNDE0MTkx ... 9aazAL2XvpsSgXU39+evXgOBAclswQPqosaEspOyMeDEpSo= -----END CERTIFICATE----- subject=/C=ZZ/CN=ZZ Intermediate CA issuer=/C=ZZ/CN=ZZ Root CA -----BEGIN CERTIFICATE----- MIIBnTCCASSgAwIBAgICEAIwCQYHKoZIzj0EATAiMQswCQYDVQQGEwJaWjETMBEG A1UEAxMKWlogUm9vdCBDQTAeFw0yNDExMjQxNDE3NTFaFw0yNTExMjQxNDE3NTFa ... tP5RO+BCCJH0nmtBntbgG9Zl00afgZ+YmqQUzIVsRTTK -----END CERTIFICATE----- subject=/C=ZZ/CN=ZZ Root CA issuer=/C=ZZ/CN=ZZ Root CA -----BEGIN CERTIFICATE----- MIIB+zCCAYKgAwIBAgIJAIZgMcdaWuMDMAkGByqGSM49BAEwIjELMAkGA1UEBhMC WloxEzARBgNVBAMTClpaIFJvb3QgQ0EwHhcNMjQxMTI0MTMwNzA4WhcNMjQxMjI0 ... w0bo7xDCG8M6/C0mUSut8b9kJGjleevob+5a41oKug== -----END CERTIFICATE-----
Note that "openssl crl2pkcs7 -nocrl" command does allow you to build a PKCS7 file with a list of any certificates.
Table of Contents
Introduction of PKI (Public Key Infrastructure)
Introduction of PKI Certificate
OpenSSL - Cryptography Toolkit
"openssl ca" - CA (Certificate Authority) Tool
Java "keytool" Commands and KeyStore Files
PKCS12 Certificate Bundle File
"openssl crl2pkcs7 -nocrl" - PKCS7 Certificate File
►"openssl crl2pkcs7 -nocrl" - PKCS7 Certificate Chain
ASN.1 Data Structure of PKCS7 File