There is a format that puts all DER certificates into a single DER-formatted structure. It is called PKIpath, and it's defined as `SEQUENCE OF Certificate`. The problem with it is that its order was standardized by X.509 2001 TC1 to begin with the root and continue to the leaf, which is backwards from how TLS present the certificate chain. (Java's JCA/JCE were specified before that corrigendum issued, and its PKIpath validation goes by the convention in use at the time to put the leaf certificate first, like pem-certificate-chain.)
I don't have my computer open to get you the PKIX-WG RFCs which define it and specify the same order as the TC1, but if you're curious you can chase them down by looking up IANA's list of media types and searching for "application/pkix-pkipath".
-Kyle H
On Fri, May 22, 2020, 00:55 Richard Levitte <levitte@xxxxxxxxxxx> wrote:
Generally speaking, OpenSSL hasn't exactly encouraged multiple objects
in one DER file. While it's theoretically possible to have several
objects in such a file file, there is code in OpenSSL where that's
simply not considered. For example, this snippet in the man-page
'X509_LOOKUP_file' is quite clear:
Functions X509_load_cert_file and X509_load_crl_file can load both PEM
and DER formats depending of type value. Because DER format cannot
contain more than one certificate or CRL object (while PEM can contain
several concatenated PEM objects) X509_load_cert_crl_file with
FILETYPE_ASN1 is equivalent to X509_load_cert_file.
The functions described there are also used by functions like
X509_LOOKUP_load_file().
Note that this may change going forward, as OSSL_STORE is gradually
entering the scene, and does provide a bit better flexibility in this
regard.
(We have recently added an X509_LOOKUP variant that uses OSSL_STORE
for its object retrieval, see the section 'OSSL_STORE Method' in
doc/man3/X509_LOOKUP_hash_dir.pod in recent OpenSSL source, such as
the alpha releases)
Cheers,
Richard
On Fri, 22 May 2020 00:53:39 +0200,
paul h. roubekas wrote:
> I am a complete newbie to this list.
>
> I wanted to search the archive but found no such page.
>
> I have a requirement to convert all certs in a *.p12 file to a *.der file for use in the curl
> command.
>
> The first hop to a *.pem file has all the certs.
>
> But the second hop only has one cert. The I read the docs but found nothing that looked even
> close.
>
> Hop 1
>
> openssl pkcs12 -chain -in trust.p12 -out ww_temp.pem -password {redacted}
>
> Hop 2
>
> openssl x509 -outform der -in ww_temp.pem -out ww_temp.der
>
> The Question) How do I get all the certs in the .der file?
>
>
--
Richard Levitte levitte@xxxxxxxxxxx
OpenSSL Project http://www.openssl.org/~levitte/