Dyapa Srikanth
Reputation: 1241
How to extract certificate from p12 of given subject
I have a p12 file with following certificates, I am trying to extract cert with subject DC=com.ibm.ws.collective/O=.*/OU=controllerRoot (the last one in the list) to import into trust store (another p12)
$> openssl pkcs12 -in resources/collective/rootKeys.p12 -clcerts -nokeys -info
MAC Iteration 1024
MAC verified OK
PKCS7 Data
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 1024
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 1024
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 1024
Certificate bag
Bag Attributes
friendlyName: memberroot
localKeyID: 54 69 6D 65 20 31 36 35 35 33 35 31 36 39 32 36 39 37
1.3.18.0.2.28.24: IBM_SDK_JAVA_8_PKCS12
subject=/DC=com.ibm.ws.collective/O=b8735147-4d21-4cc1-9711-6edee0c7680f/OU=member/L=10.153.34.33/L=%2Fopt%2Fibm%2Fwlp%2Fusr/CN=controller-2
issuer=/DC=com.ibm.ws.collective/O=b8735147-4d21-4cc1-9711-6edee0c7680f/OU=memberRoot
-----BEGIN CERTIFICATE-----
MIIDxTCCAq2gAwIBAgIGFnVwnmf5MA0GCSqGSIb3DQEBCwUAMGsxJTAjBgoJkiaJ
k/IsZAEZFhVjb20uaWJtLndzLmNvbGxlY3RpdmUxLTArBgNVBAoTJGI4NzM1MTQ3
LTRkMjEtNGNjMS05NzExLTZlZGVlMGM3NjgwZjETMBEGA1UECxMKbWVtYmVyUm9v
dDAeFw0yMjA2MTYwMzU0NTJaFw0yNzA2MTUwMzU0NTJaMIG4MSUwIwYKCZImiZPy
LGQBGRYVY29tLmlibS53cy5jb2xsZWN0aXZlMS0wKwYDVQQKEyRiODczNTE0Ny00
ZDIxLTRjYzEtOTcxMS02ZWRlZTBjNzY4MGYxDzANBgNVBAsTBm1lbWJlcjEVMBMG
A1UEBxMMMTAuMTUzLjM0LjMzMSEwHwYDVQQHDBglMkZvcHQlMkZpYm0lMkZ3bHAl
MkZ1c3IxFTATBgNVBAMTDGNvbnRyb2xsZXItMjCCASIwDQYJKoZIhvcNAQEBBQAD
ggEPADCCAQoCggEBANT1Kd+LR78YE+Wv4gMnXC5N50TEzK5OTjhhu/W9W1mvS4nh
beu5yiAYnF31/x3Wuj48goixXKjYwWjeaMfwuYFbb/fdh4dg0CjYGfbmnh6dXskU
LlrmCwQYvnolUxw6TAaJPIg0hjCHA3D5amjrMLwlpFBGG0jOybvzXgwpl213eZvL
AMc2Cm3OAaJ7Xj13pUfT9YafQrCR1AiwEtZXijSV1k4Bf8BYwQABOYu2MW2vRfPm
7bkqQl9G3wdS5HCIGDHlfYKy5ptzxxhHpEbTHDhIkAipFtkFFKpu9g7CErzKfKOh
WoubEmiTYCHlQBWJ1nuAIGjoui4cEX5cPJF+8T0CAwEAAaMhMB8wHQYDVR0OBBYE
FHy4X2lxE6F2OXUAcHQAV/KmiJw3MA0GCSqGSIb3DQEBCwUAA4IBAQCRk05F/Cg7
PbU3xnkIORJhVlgkzctXAs2tL/UvNuOXovluAJTMMRqXrDN8LpcL9PHOI6gpHtyW
DPLX3MDSw/TcPEMUGAvdLFYgTo5WAZyGkuXr1/7u3MfsKWBxu6XxzkRewgIonhR9
2oqUeqRvAmkBJ2oKZq2qE2Z0se5ZP9+a+31n7C/sHKELe+GlAyyioz9C9putNk61
ACAaiJO84kiJcq6tFCuEX9xVxLb75eCfvE2VMTKrvUXAJw+vU0Wa2ofhxlL4PaB8
kgGxi+HFAn3A5UpWiIR2FXvTUsQX9t1fuzwhgLlbhMav6Qieoyj3iQb/qc87y00j
pkuzOgMB0rOb
-----END CERTIFICATE-----
Certificate bag
Bag Attributes
friendlyName: memberroot
localKeyID: 54 69 6D 65 20 31 36 35 35 33 35 31 36 39 32 36 39 37
1.3.18.0.2.28.24: IBM_SDK_JAVA_8_PKCS12
subject=/DC=com.ibm.ws.collective/O=b8735147-4d21-4cc1-9711-6edee0c7680f/OU=memberRoot
issuer=/DC=com.ibm.ws.collective/O=b8735147-4d21-4cc1-9711-6edee0c7680f/OU=memberRoot
-----BEGIN CERTIFICATE-----
MIIDiDCCAnCgAwIBAgIGFXQZJgx8MA0GCSqGSIb3DQEBCwUAMGsxJTAjBgoJkiaJ
k/IsZAEZFhVjb20uaWJtLndzLmNvbGxlY3RpdmUxLTArBgNVBAoTJGI4NzM1MTQ3
LTRkMjEtNGNjMS05NzExLTZlZGVlMGM3NjgwZjETMBEGA1UECxMKbWVtYmVyUm9v
dDAeFw0yMjA2MTYwMzM2MjdaFw00NzA2MTAwMzM2MjdaMGsxJTAjBgoJkiaJk/Is
ZAEZFhVjb20uaWJtLndzLmNvbGxlY3RpdmUxLTArBgNVBAoTJGI4NzM1MTQ3LTRk
MjEtNGNjMS05NzExLTZlZGVlMGM3NjgwZjETMBEGA1UECxMKbWVtYmVyUm9vdDCC
ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALzjG8WacAT6Y/yVo6EbMlu0
lSn8pSEO1fWSgJye5/Sfors1Py53Y5hmjhMKGBh1kkJl5PllwHJkZhm+rb49tV3D
15DRBihxm77gODNnmEQVLkVU9gjWWglPwBAruFVD6wL88trrvmm7+9eRWbkQoRSM
i7daIMrsZ0MMubGh/UbPAWFOl/0S5NufGF32npOfwEkebbVY9Mbw9j728e4Wo9jT
peQ4idqK/TLunBHof68KpxGVhslTOaws3qu9JMgsbVcSoYrLeORGDFM+dejvPtAu
R2DPum6w0EG7awLI2mGBDYJwSTwNB7Cj6g/Pf3aZ0ka4quxPNT25EONRFzDaO4sC
AwEAAaMyMDAwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUk0wdoaxREu0kcDID
QwVLBzWdevswDQYJKoZIhvcNAQELBQADggEBAHXZpXbIh60ZrDfcM9A+lCBUcjU5
WBS6frQfWFB4o5XnC4QYww9N2OL+XynfE8KNeemFYs+258gF8mqkUF8MUet3GhgU
Dsg39uTiNvXlL94osZXOgnag72yomwiukRKurzs81mTeUWeoQa61nw6Qy+N0cZje
R9U40C9mWcytXIrgk0qRrXDr+CUjgSQ1yGkFT5TjvkFetctULoqDD0fS79tuwZEp
Str7hSJ4HpQokfPYKeH8S6NcvM7Oni49ydYYgh08mbWCAYzLIr7TnQK91hxUgLi4
xwtww75VAXwwZm5sz9iH1xo38C2pnARwFgzvFWNpUJErR4+Ee5hzyJRMlUM=
-----END CERTIFICATE-----
Certificate bag
Bag Attributes
friendlyName: controllerroot
localKeyID: 54 69 6D 65 20 31 36 35 35 33 35 31 36 39 32 39 38 38
1.3.18.0.2.28.24: IBM_SDK_JAVA_8_PKCS12
subject=/DC=com.ibm.ws.collective/O=b8735147-4d21-4cc1-9711-6edee0c7680f/OU=member/L=10.153.34.33/L=%2Fopt%2Fibm%2Fwlp%2Fusr/CN=controller-2
issuer=/DC=com.ibm.ws.collective/O=b8735147-4d21-4cc1-9711-6edee0c7680f/OU=controllerRoot
-----BEGIN CERTIFICATE-----
MIIDyTCCArGgAwIBAgIGFnWBeNQ0MA0GCSqGSIb3DQEBCwUAMG8xJTAjBgoJkiaJ
k/IsZAEZFhVjb20uaWJtLndzLmNvbGxlY3RpdmUxLTArBgNVBAoTJGI4NzM1MTQ3
LTRkMjEtNGNjMS05NzExLTZlZGVlMGM3NjgwZjEXMBUGA1UECxMOY29udHJvbGxl
clJvb3QwHhcNMjIwNjE2MDM1NDUyWhcNMjcwNjE1MDM1NDUyWjCBuDElMCMGCgmS
JomT8ixkARkWFWNvbS5pYm0ud3MuY29sbGVjdGl2ZTEtMCsGA1UEChMkYjg3MzUx
NDctNGQyMS00Y2MxLTk3MTEtNmVkZWUwYzc2ODBmMQ8wDQYDVQQLEwZtZW1iZXIx
FTATBgNVBAcTDDEwLjE1My4zNC4zMzEhMB8GA1UEBwwYJTJGb3B0JTJGaWJtJTJG
d2xwJTJGdXNyMRUwEwYDVQQDEwxjb250cm9sbGVyLTIwggEiMA0GCSqGSIb3DQEB
AQUAA4IBDwAwggEKAoIBAQCO0/7oZ4uuO1+gw2YLUww2Jbr2gDblSc060+OSs/yH
P/rIpASHLvU28qgE0ob+Z9xq9VyDTMR56iz8VsM0NT/rctbTuYgzgYmgsQpUu+uz
rzEMfg/gRzgnllHUDzTo9EgAMCPUWV4Kyk+YyTpFR15j8BFS0BFjpXT2+nQWcCWW
YGMM0wHFowbe+3l02vOjPL5f7tkOZ9JruhnMtvOGJianbsicka0Dqwh4F9hUbm0I
SGc5ZcaGD2G2wsqZokS2Olvz5DYp13WV2JewJAz7fay4T8EYyPnpIcnaQGilVF0B
Mv8whKpQyNfR5p5U7zRIuwVMeWap+KBKUMOe6r83jyZ7AgMBAAGjITAfMB0GA1Ud
DgQWBBTGd+XR+jNJ2XgsGiZqvkWhENO+mDANBgkqhkiG9w0BAQsFAAOCAQEAfWXM
lSSu1NWSfxSv/AmbQO/bZOvKcBqN1RfkWKEOgOFvICj2wepa7u7hVSWwZ6IEZWfa
PUfseV+431hdaoBKWlpMDINDh4XWYBzQw8h5ZPKy8Co3BsAxqg9ufKihknbbBkVp
xS7bOBp/TuJT4ULb+1bBMtFryL3mNeeO/V1pDsZJkLBzNjQfC7rvOfbjtmRG8SPU
F4Pc6ugZlhyuH8oo+5apZEpFediR5cXF/osa75qpAZbuLpJJSF+6Ho++TtKvZZiT
oyHo5993xVtTX1RTpjJBVceXFYprbtxfW3S2oR5NqVabd1HA8YTCBPdzcyq8vVn6
c+LyR7z6+2Vy9uLVpg==
-----END CERTIFICATE-----
Certificate bag
Bag Attributes
friendlyName: controllerroot
localKeyID: 54 69 6D 65 20 31 36 35 35 33 35 31 36 39 32 39 38 38
1.3.18.0.2.28.24: IBM_SDK_JAVA_8_PKCS12
subject=/DC=com.ibm.ws.collective/O=b8735147-4d21-4cc1-9711-6edee0c7680f/OU=controllerRoot
issuer=/DC=com.ibm.ws.collective/O=b8735147-4d21-4cc1-9711-6edee0c7680f/OU=controllerRoot
-----BEGIN CERTIFICATE-----
MIIDkDCCAnigAwIBAgIGFXQBEJ1VMA0GCSqGSIb3DQEBCwUAMG8xJTAjBgoJkiaJ
k/IsZAEZFhVjb20uaWJtLndzLmNvbGxlY3RpdmUxLTArBgNVBAoTJGI4NzM1MTQ3
LTRkMjEtNGNjMS05NzExLTZlZGVlMGM3NjgwZjEXMBUGA1UECxMOY29udHJvbGxl
clJvb3QwHhcNMjIwNjE2MDMzNjI3WhcNNDcwNjEwMDMzNjI3WjBvMSUwIwYKCZIm
iZPyLGQBGRYVY29tLmlibS53cy5jb2xsZWN0aXZlMS0wKwYDVQQKEyRiODczNTE0
Ny00ZDIxLTRjYzEtOTcxMS02ZWRlZTBjNzY4MGYxFzAVBgNVBAsTDmNvbnRyb2xs
ZXJSb290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnn6fZzzwfZol
ToZW2nbrFG3NshxuBHSQ4cHPfZeJfC6Yksw9jSzX0ZOKbYgo2VnPRqtvr1P9jNrE
4kQy0ej2actIheOnBz+n+0hP/HvkeqLIdkWb2swWehzUp5Ed7iglZSn1WBvvBNM0
G/UsY2kCaqpbBljuEzqAYmOhLewtWq0w0GgUymA1k7YkIhF5AqXsIK3BMWjk5kyM
FwxmXogdRCewIPNHq95eVeWs60N07sn+b4K84QqbyvAfNcsW7vfzeWgDEG6dGrJO
lK0QpXHtb9OD08OFPqQb/6cRXzy+NUQKJP3x6eQ5UjrjiG2zUIwTBMmoeFTYWWzv
hQMzYOl+SQIDAQABozIwMDAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTrKLke
SpIao2L6HOJecnPZY9drkjANBgkqhkiG9w0BAQsFAAOCAQEAD7WGLRXlL2FFVI7u
MSItv2qXCkEzfzZPoPzzpzOxfibpgEYQUqvPo1ZBroogKrMFXZ7iXbcSQ2ECYURf
Q++NLQVx+8RLlvrDh6puiLrsyo9bS+KcRl/EYMuoITPZTwyNgktH5kBXRCgCyksa
wiXmsvKdbwNJzIzUacCoyoXies2ScXlX7iy1/reJAj0cP4r84w1S0ITAo9E55BVV
LLuGaqGjQ66Y6b44xl19CR3hyvBz13tMaOAr7cjx26TaWzD3/M/MpoX1McOEkJ/g
X7xVQmqeeSgFdHIrE2RC3XqEHiUIfgRf+O/1xr6nPXZGgf/np5oJkXk4hcZB4/p7
Hnp7vA==
-----END CERTIFICATE-----
I have tried this with keytool, but it extracted 2nd last one
keytool -exportcert -rfc -keystore resources/collective/rootKeys.p12 -storetype PKCS12 -alias controllerroot -file rootcert.crt
I have tried few things with openssl, but none worked. Can anyone help me to extract the cert either with keytool or openssl.
Upvotes: 0
Views: 1739
Answers (2)
Dyapa Srikanth
Reputation: 1241
As I didn't find a solution with openssl or keytool I tried with sed like below.
openssl pkcs12 -in resources/collective/rootKeys.p12 -clcerts -nokeys -info | sed -i '/subject=\/DC=com.ibm.ws.collective\/O=.*\/OU=controllerRoot/,/END CERTIFICATE/p' all.crt | sed -n '/BEGIN CERTIFICATE/,/END CERTIFICATE/p' | tee expected.crt
Upvotes: 0
leeharvey1
Reputation: 1436
If PowerShell is an option, then you can extract the last cert from the PEM output using this script:
[cmdletbinding()]
Param (
[Parameter(Mandatory=$true,ValueFromPipeline=$true,HelpMessage="PEM input")]
[AllowEmptyString()]
[string[]]$InputValue
)
Begin {
[string]$capture = $null
[string]$result = $null
}
Process {
if ('-----BEGIN CERTIFICATE-----' -eq $InputValue) {
$capture = $InputValue + "`r`n"
} elseif ('-----END CERTIFICATE-----' -eq $InputValue) {
$result = $capture + $InputValue
$capture = $null
} elseif ($capture) {
$capture += $InputValue + "`r`n"
}
}
End {
$result
}
With a few slight modifications, you can extract all Root CA certs from the PEM with this script:
[cmdletbinding()]
Param (
[Parameter(Mandatory=$true,ValueFromPipeline=$true,HelpMessage="PEM input")]
[AllowEmptyString()]
[string[]]$InputValue
)
Begin {
[bool]$isCA = $false
[string]$subj = $null
[string]$capture = $null
[string[]]$result = $null
}
Process {
if ([string]$InputValue -match '^subject=(.*)') {
$subj = $Matches[1]
} elseif ([string]$InputValue -match '^issuer=(.*)') {
$isCA = ($subj -eq $Matches[1])
}
if ($isCA) {
if ('-----BEGIN CERTIFICATE-----' -eq $InputValue) {
$capture = $InputValue + "`r`n"
} elseif ('-----END CERTIFICATE-----' -eq $InputValue) {
$result += $capture + $InputValue
$capture = $null
$isCA = $false
} elseif ($capture) {
$capture += $InputValue + "`r`n"
}
}
}
End {
$result
}
To use, save either of the above to a PowerShell .ps1 script file, open a PowerShell session, then pipe the openssl output to the .ps1 script, and optionally redirect the output to a new certificate file. For example:
openssl pkcs12 -in resources/collective/rootKeys.p12 -clcerts -nokeys -info | .\Get-LastPEMCert.ps1 > last.cer
Where: Get-LastPEMCert.ps1 is the first PowerShell script above; and last.cer will contain the last listed certificate from your PEM OpenSSL output.
Otherwise, you could resort to using cat, sed, and/or awk. For example, see this or these answers.
Upvotes: 1
Related Questions
- Need a little help to generate p12 cert
- How to extract certificate from .p12 (PFX) file using KEYTOOL commands
- How to convert .p12 to .crt file?
- how to extract issuer certificate from other certificate
- Extracting private key from .cer to .pem with openssl
- Working with openssl to extract information from a pkcs12 certificate
- How to get private key of a pkcs12 certificate that I created using keytool
- Extracting client certificate & private key from .p12 file
- Extracting the public certificate from a certificate
- How can I extract a key from an SSL certificate?