how to extract issuer certificate from other certificate

Question

I have a certificate in X.509 format. Using openssl I want to extract the issuer's certificate into a file, also in X.509 format (so that I can whitelist the issuer in my web service).

How do I do this? The following command did not work, it only printed the issuer information in text form.

openssl x509 -in cert.x509 -issuer -out issuer.x509

Answer 1

The acceptable answer is correct, but I can elaborate further.

Certificates typically have an AIA field that provide a URL where the Issuer certificate can be downloaded and by the standards that CAs must follow, they are also typically in DER format.

For the 1. above where you "Find the URL fo the signing certificate", you could run issuer_url=$(openssl x509 -noout -text -in $filename | grep "Authority Information Access" -A 3 | grep "CA Issuers" | head -1 | tr spaces | sed 's/CA Issuers - URI://g' | sed 's/ //g')

This command basically runs openssl on a certificate and snips out the CA Issuer - URI: link in the certificate (assuming there is one) and placed is into the issuer_url variable. You can replace $filename with the /path/to/your/pem/certificate. If your certificate is in DER format, you'll need to include -inform DER in the first openssl command.

Once you've done that, you can use wget to fetch it: wget $issuer_url -O outputfile.crt

This will fetch the issuer file. This file is typically in DER format, so from her you can serve the file or convert it to PEM:

openssl x509 -inform DER -in outputfile.crt -out pem_outputfile.crt

Answer 2

1. openssl x509 -in cert.x509 -text Find the URL of the signing certificate.
2. curl (url) >signer.der Download the signing certificate to a file (DER format in my case).
3. openssl x509 -inform der -in signer.der -out signer.pem Convert signing certificate to PEM (X.509) format.
4. openssl x509 -in signer.pem -text Confirm your results. Repeat procedure as necessary all the way up the certificate chain.