CSR: Extract PKCS#10 contained in a PKCS#7

Hi eveyone: let's see if someone can help me ;) I'm quite noob at this field so please be gentle. At my job someone passed me a CSR. This CSR is a PKCS#10 request enveloped in a PKC#7 request. My task is to extract this PKCS#10 request. I found this page "CSR analysis failed". I read the paragraph named as "Convert the renewal request generated by IIS7 Certificate Request #PKCS7 - DER to CSR in #PKCS10 format - PEM" It tells you how to do it.

I did it as they explain but after running last command (with my own names):

openssl req -inform der -in csr.der -out mynewcsr.csr

I got this error:

unable to load X509 request
9288:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:.\crypto\asn1\tasn_dec.c:1198:
9288:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:.\crypto\asn1\tasn_dec.c:372:Type=X509_REQ_INFO
9288:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:.\crypto\asn1\tasn_dec.c:694:Field=req_info, Type=X509_REQ

I've been researching and it seems to be a format error. Some of the files (the initial file.csr one or the intermediates csr.der one) must be in an invalid format so one of the commands I used cannot process it.

I'm sure that the string parsed from the pkcs#7 in format ASN1 is the correct one.

I cannot show you the original one, but it is Base64 encoded and begins and ends with:

-----BEGIN CERTIFICATE REQUEST-----
(...)
-----END CERTIFICATE REQUEST-----

Any idea?


Solution 1:

I have run into something similar in the past, and using openssl to convert the certificates from what they were into what I needed worked.

This website seems to cover the commands fairly well enough, but I don't know anything about their automated tool, so use with caution if you go that route.

https://www.sslshopper.com/ssl-converter.html

You can also try digicert's website, they have lots of useful docs and tools for beginners. I used them quite heavily for a while until I got used to the openssl tool on linux.

Also possibly relevant:

https://stackoverflow.com/questions/4691699/how-to-convert-crt-to-pem

For reference, I have added the commands here:

Convert PEM to DER

openssl x509 -outform der -in certificate.pem -out certificate.der

Convert PEM to P7B

openssl crl2pkcs7 -nocrl -certfile certificate.cer -out certificate.p7b -certfile CACert.cer

Convert PEM to PFX

openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt

Convert DER to PEM

openssl x509 -inform der -in certificate.cer -out certificate.pem

Convert P7B to PEM

openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer

Convert P7B to PFX

openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer

openssl pkcs12 -export -in certificate.cer -inkey privateKey.key -out certificate.pfx -certfile CACert.cer

Convert PFX to PEM

openssl pkcs12 -in certificate.pfx -out certificate.cer -nodes

To go a bit deeper, the CSR is generated using the private key. If the CSR is in the wrong format and you need to use the existing private key (can't generate a new one for instance), you might want to try converting the private key, then creating a new CSR. Then tell the CA what format to issue the new certificate. This should eliminate the incompatibility.

As always, back up what you have before trying anything.