CODEWITHSUNDEEP
pythonsslpyopenssl
Danimar Ribeiro
Danimar Ribeiro

Reputation: 159

Difference between get_ca_certificates and get_certificate

I'm using python to load a pfx certificate.

pfx = crypto.load_pkcs12(pfx, self.nfe_a1_password)
cert = pfx.get_certificate()
end = datetime.strptime(cert.get_notAfter(), '%Y%m%d%H%M%SZ')
subj = cert.get_subject()

http://www.pyopenssl.org/en/stable/api/crypto.html#OpenSSL.crypto.PKCS12.get_ca_certificates

I got one interesting certificate that the method get_certificate() returns None and if I call get_ca_certificate it returns the certificate.

What does it mean if the pfx do not return the certificate? The certificate issuer sent me a wrong one?

Upvotes: 2

Views: 691

Answers (1)

Pavel
Pavel

Reputation: 31

6 years old question but... Usualy a pkcs#12 certificate is divided into two parts:

  • The private key, which is only known by the server/issuer and never shared with third parties
  • The public key, which is shared to clients

The public key is signed by the Root CA (certification autorithy), and may also be self signed. If it is not signed at all, then the clients may not be able to connect to the server (error: untrusted certificate from browser or code context). Regarding your question, the public certificate may be a chain of certificates with a footprint of all the intermediate CA s. The purpose is for the clients to track the server certificate and lead back to the Root CA public key.

The Public (PEM format) certificate is then a concatenation of all the Public key all all the intermediate CA s, which look like this:

# Public key of the SSL certificate (the server certificate)
-----BEGIN CERTIFICATE-----
ggEPADCCAQoCggEBAMGPTyynn77hqcYnjWsMwOZDzdhVFY93s2OJntMbuKTHn39B

...

lffygD5IymCSuuDim4qB/9bh7oi37heJ4ObpBIzroPUOthbG4gv/5blW3Dc=

-----END CERTIFICATE-----

# Trust chain intermediate certificate
-----BEGIN CERTIFICATE-----

SHh/VzZpGhkdWtHUfcKc1H/hgBKueuqI6lfYygoKOhJJomIZeg0k9zfrtHOSewUj

...

K1pp74P1S8SqtCr4fKGxhZSM9AyHDPSsQPhZSZg=

-----END CERTIFICATE-----

# Trust chain root certificate
-----BEGIN CERTIFICATE-----

MIIDdTCCAl2gAwIBAgILBAAAAAABFUtaw5QwDQYJKoZIhvcNAQEFBQAwVzELMAkG
...

HMUfpIBvFSDJ3gyICh3WZlXi/EjJKSZp4A==

-----END CERTIFICATE-----

So the last two certificate (Trust chain intermediate certificate and Trust chain root certificate) may or may not be present if there are no intermediate CA s, hence calling

pfx.get_ca_certificates()

will be None

If Not None then you may want to append all of them in your own certificate chain / file.

Upvotes: 0

Related Questions