CSR: Extract PKCS#10 contained in a PKCS#7
Hi eveyone: let's see if someone can help me ;) I'm quite noob at this field so please be gentle. At my job someone passed me a CSR. This CSR is a PKCS#10 request enveloped in a PKC#7 request. My task is to extract this PKCS#10 request. I found this page "CSR analysis failed". I read the paragraph named as "Convert the renewal request generated by IIS7 Certificate Request #PKCS7 - DER to CSR in #PKCS10 format - PEM" It tells you how to do it.
I did it as they explain but after running last command (with my own names):
openssl req -inform der -in csr.der -out mynewcsr.csr
I got this error:
unable to load X509 request
9288:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:.\crypto\asn1\tasn_dec.c:1198:
9288:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:.\crypto\asn1\tasn_dec.c:372:Type=X509_REQ_INFO
9288:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:.\crypto\asn1\tasn_dec.c:694:Field=req_info, Type=X509_REQ
I've been researching and it seems to be a format error. Some of the files (the initial file.csr one or the intermediates csr.der one) must be in an invalid format so one of the commands I used cannot process it.
I'm sure that the string parsed from the pkcs#7 in format ASN1 is the correct one.
I cannot show you the original one, but it is Base64 encoded and begins and ends with:
-----BEGIN CERTIFICATE REQUEST-----
(...)
-----END CERTIFICATE REQUEST-----
Any idea?
Solution 1:
I have run into something similar in the past, and using openssl to convert the certificates from what they were into what I needed worked.
This website seems to cover the commands fairly well enough, but I don't know anything about their automated tool, so use with caution if you go that route.
https://www.sslshopper.com/ssl-converter.html
You can also try digicert's website, they have lots of useful docs and tools for beginners. I used them quite heavily for a while until I got used to the openssl tool on linux.
Also possibly relevant:
https://stackoverflow.com/questions/4691699/how-to-convert-crt-to-pem
For reference, I have added the commands here:
Convert PEM to DER
openssl x509 -outform der -in certificate.pem -out certificate.der
Convert PEM to P7B
openssl crl2pkcs7 -nocrl -certfile certificate.cer -out certificate.p7b -certfile CACert.cer
Convert PEM to PFX
openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt
Convert DER to PEM
openssl x509 -inform der -in certificate.cer -out certificate.pem
Convert P7B to PEM
openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer
Convert P7B to PFX
openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer
openssl pkcs12 -export -in certificate.cer -inkey privateKey.key -out certificate.pfx -certfile CACert.cer
Convert PFX to PEM
openssl pkcs12 -in certificate.pfx -out certificate.cer -nodes
To go a bit deeper, the CSR is generated using the private key. If the CSR is in the wrong format and you need to use the existing private key (can't generate a new one for instance), you might want to try converting the private key, then creating a new CSR. Then tell the CA what format to issue the new certificate. This should eliminate the incompatibility.
As always, back up what you have before trying anything.