Certificate File Manipulation using OpenSSL

Use case:

• I have a TLS bypass rule for a domain that I would like removed. I added this rule because the certificate is not trusted. Now I need to grab certificate details.
• I have a certificate that appears to be missing from Cato TLS store. I want to report the same to Cato Support. Although I have p7b file which only works on Windows. How do I convert it to a regular certificate and just share with  support?

Prerequisites: A system with openSSL installed. If you are using a MacBook install HomeBrew and update OpenSSL libraries to the latest version [version as of writing this article - 3.6.0]. 

• xyz@MacBook1 ~ %/ bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"
• xyz@MacBook1 ~ % brew update
• xyz@MacBook1 ~ % brew install openssl@3

• xyz@MacBook1 ~ % openssl version           

Solution:

• If you have a pem file which can be opened in a text editor and it shows BEGIN and END lines with hashes, skip to the final step #3. 

Procedure:

1. Save p7b file on a folder and run following openssl pkcs7 command from that folder "openssl pkcs7 -inform DER -in input_file.p7b -print_certs -out output_file.pem"
2. Once it is converted open the cdrts.pem file in a text editor.
3. Individually copy text from BEGIN to END values and save them in separate files, save as .pem extension.
4. Further use following openssl command to fetch the SN# and SHA256 fingerprint against each file "openssl x509 -in cdrts.pem -noout -serial -fingerprint -sha256"

Sample conversion using above method:

xyz@Linux-Host1 % openssl pkcs7 -inform DER -in corphqglobal.p7b -print_certs -out cdrts.pem

xyz@Linux-Host1 % openssl x509 -in cdrts.pem -noout -serial -fingerprint -sha256 -dates -subject

OpenSSL command to fetch SN, fingerprint, validity dates, Sha256 hash and subject, You can also add "-issuer" parameter to get name of the issuer CA.

 

Other alternate solutions-

• • Although clumsy and not easy to copy paste just the SN or hash you can use an internet browser such as Google Chrome to view certificate details from "view site info" icon (or a pad lock icon on other browsers) next to the the browser address bar
  • Use Chapt GPT or co-pilot and upload p7b file there. I have tried it but not 100% of the times I got the right SN. I would encourage verifying the results with step 4 above. Be careful not to upload any private keys to online AI Tools.