Monday, 30 April 2012

Using OpenSSL to manage multiple certificates

More in my occasional series of "Now I did not know that" covering openssl, GSK, IBM HTTP Server etc.

Multiple Certificates In One File

In almost all cases, OpenSSL will assume that there's only one certificate in a given file. As such, it will generally only use the first certificate that it finds, and will ignore all others.

Normally, you will only have one certificate in a file, so that'll be OK. However, you may ocassionally come across files with several certificates in them. Unless you're going to be using this file as a CA bundle (where you list all the CA certificates you trust in one single file), you'll probably need to split your file into one per certificate.

First up, you'll want to check how many certificates a file holds. The simplest way to do that is with:

cat ca-certificate-file | grep -E 'BEGIN.* CERTIFICATE' | wc -l
If you get a number that's greater than 1, then you have multiple certificates in the file. Your best bet is to split the files after the "--END ... CERTIFICATE--" line (you may or may not have anything for "....")

One way to split it is using this perl program, which will handle finding the file ends for you, and prompt you for files to save certificates into.

Note that the format of a X509 PEM certificate is:

(Header Info)
------BEGIN (TRUSTED|X509) CERTIFICATE-----
(Certificate Data)
------END (TRUSTED|X509) CERTIFICATE-----

With thanks to Nick Burch and his most excellent blog here.

No comments: