Introduction to PKCS7
What is PKCS7? It is a standard in the “Public Key Cryptography Standards” used as a cryptographic message syntax and as a format for an X.509 certificate and corresponding chain. A PKCS7 certificate can be formatted as both PEM and DER.
For a deep dive, check out RFC 2315.
openssl pkcs7
To print the certificates with openssl, use the following command:
openssl pkcs7 -inform pem -noout -text -print_certs -in example.p7b
Let’s describe the flags in this command:
-inform: can be pem or der. Defaults to pem if not specified.
-noout: don’t output the encoded version
-print_certs: print the certificates in the bundle
-in: the pkcs7 formatted certificate file
To convert from PEM to DER:
openssl pkcs7 -in file.pem -outform DER -out file.der
Now let’s describe the flags in this command:
-in: the pkcs7 formatted certificate file
-outform: the format to convert to
-out: the file name of the converted file
To convert pem encoded certificate and optional chain to pkcs7:
openssl crl2pkcs7 -nocrl -certfile newcert.pem -certfile cacertchain.pem -outform DER -out p7.der
Description of flags in this command:
-nocurl: Specifies that this is only a conversion of certificates, not a crl.
-certfile: The pem encoded certificate file to be converted
-certfile: Notice that this flag is used twice. It can be used multiple times to load certificate from multiple files. In this case, the end entity certificate and its chain are in separate files.
-outform: Can be PEM or DER
-out: The converted file
It is unfortunate that openssl has not provided a separate command for pem to pkcs7 conversion. In the example provided, we chose not to convert a crl due to the fact that this is relatively uncommon. The command is most useful for pem to pkcs7 conversion.
pkcs7 format
Generally, a pkcs7 certificate begins with the header “—–BEGIN PKCS7—–” and ends with the footer “—–END PKCS7—–“. This differentiates it from standard pem header and footer.
While it will accept the header and footer “—–BEGIN CERTIFICATE—–
—–END CERTIFICATE—–” this is generally discouraged as not to confuse with a pem encoded X.509 certificate.
pkcs7 vs pkcs12
It is rather common for the comparison of these two standards to come up, especially for beginners in PKI and digital certificates.
Many times, the question is answered by the file extension: .p7b vs .p12 (or .pfx).
In essence, .p7b holds a certificate(s) with no associated private key whereas a .p12, or pkcs12 keystore, holds a certificate(s) with it’s associated private key. It’s really as simple as that.
Conclusion
If there are any commands we have not covered by openssl, please leave a comment asking for an example.
For even more details on the openssl commands, visit the Open SSL Man Pages.
https://www.openssl.org/docs/man1.1.1/man1/openssl-pkcs7.html
Leave a Reply