Introduction to PKCS7
What is PKCS7? It is a standard in the “Public Key Cryptography Standards” used as a cryptographic message syntax and as a format for an X.509 certificate and corresponding chain. A PKCS7 certificate can be formatted as both PEM and DER.
For a deep dive, check out the PKCS#7 RFC, RFC 2315.
If you have a file you wish to decode, use our Certificate Decoder tool.
To print the certificates with openssl, use the following command:
openssl pkcs7 -inform pem -noout -text -print_certs -in example.p7b
For clarity, that command is an example of pkcs7 to pem. If the p7b file has 3 certificates bundled, it will print out 3 consecutive pem encoded certificates. If it has 4, it will print out 4 and so on. This command converts the PKCS#7 file from a p7b bundle to a series of x509 certificates.
Let’s describe the flags in this command:
-inform: can be pem or der. Defaults to pem if not specified.
-noout: don’t output the encoded version
-print_certs: print the certificates in the bundle
-in: the pkcs7 format certificate file
To convert from PEM to DER:
openssl pkcs7 -in file.pem -outform DER -out file.der
Now let’s describe the flags in this command:
-in: the pkcs7 format certificate file
-outform: the format to convert to
-out: the file name of the converted file
To convert pem encoded certificate and optional chain to pkcs7:
openssl crl2pkcs7 -nocrl -certfile newcert.pem -certfile cacertchain.pem -outform DER -out p7.der
Description of flags in this command:
-nocrl: Specifies that this is only a conversion of certificates, not a crl.
-certfile: The pem encoded certificate file to be converted
-certfile: Notice that this flag is used twice. It can be used multiple times to load certificate from multiple files. In this case, the end entity certificate and its chain are in separate files.
-outform: Can be PEM or DER
-out: The converted file
It is unfortunate that openssl has not provided a separate command for pem to pkcs7 conversion. In the example provided, we chose not to convert a crl due to the fact that this is relatively uncommon. The command is most useful for pem to pkcs7 conversion.
Generally, a pkcs7 certificate begins with the header “—–BEGIN PKCS7—–” and ends with the footer “—–END PKCS7—–“. This differentiates it from standard pem header and footer. That is 5 hyphens both before and after the header words.
While it will accept the header and footer “—–BEGIN CERTIFICATE—–
—–END CERTIFICATE—–” this is generally discouraged as not to confuse with a pem encoded X.509 certificate. BEGIN PKCS7 is the accepted words in the header.
pkcs7 vs pkcs12 (pkcs12 vs pkcs7)
It is rather common for the comparison of these two standards to come up, especially for beginners in PKI and digital certificates.
Many times, the question is answered by the file extension: .p7b vs .p12 (or .pfx). The file extension is commonly p7b, but may be whatever is most readable in your situation. If the p7b is in binary, it may make sense to just use the .der file extension.
In essence, .p7b holds a certificate(s) with no associated private key where the certificates are all encoded together and not separately, whereas a .p12, or pkcs12 keystore, holds a certificate(s) with it’s associated private key. It’s really as simple as that.
For more information on the PKCS12 format, read this post.
x509 vs pkcs7 (pkcs7 vs x509)
The difference between an x509 certificate and a certificate bundle in PKCS7 format is that the bundle of certificates which could be a chain or a single x509 certificate is pem encoded in totality rather than a single individual x509 certificate. Also, as discussed above, the header and footer are different.
PKCS#7 SignedData – Signing and Verification
You may occasionally see a .p7s attachment to an email signature. This is a signed email extension of the PKCS#7 SignedData format.
If there are any commands we have not covered by openssl, please leave a comment asking for an example.