Certificate File Manipulation using OpenSSL
Use case: I have a TLS bypass rule for a domain that I would like removed. I added this rule because the certificate is not trusted. Now I need to grab certificate details. I have a certificate that appears to be missing from Cato TLS store. I want to report the same to Cato Support. Although I have p7b file which only works on Windows. How do I convert it to a regular certificate and just share with support? Prerequisites: A system with openSSL installed. If you are using a MacBook install HomeBrew and update OpenSSL libraries to the latest version [version as of writing this article - 3.6.0]. xyz@MacBook1 ~ %/ bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)" xyz@MacBook1 ~ % brew update xyz@MacBook1 ~ % brew install openssl@3 xyz@MacBook1 ~ % openssl version Solution: If you have a pem file which can be opened in a text editor and it shows BEGIN and END lines with hashes, skip to the final step #3. Procedure: Save p7b file on a folder and run following openssl pkcs7 command from that folder "openssl pkcs7 -inform DER -in input_file.p7b -print_certs -out output_file.pem" Once it is converted open the cdrts.pem file in a text editor. Individually copy text from BEGIN to END values and save them in separate files, save as .pem extension. Further use following openssl command to fetch the SN# and SHA256 fingerprint against each file "openssl x509 -in cdrts.pem -noout -serial -fingerprint -sha256" Sample conversion using above method: xyz@Linux-Host1 % openssl pkcs7 -inform DER -in corphqglobal.p7b -print_certs -out cdrts.pem xyz@Linux-Host1 % openssl x509 -in cdrts.pem -noout -serial -fingerprint -sha256 -dates -subject Other alternate solutions- Although clumsy and not easy to copy paste just the SN or hash you can use an internet browser such as Google Chrome to view certificate details from "view site info" icon (or a pad lock icon on other browsers) next to the the browser address bar Use Chapt GPT or co-pilot and upload p7b file there. I have tried it but not 100% of the times I got the right SN. I would encourage verifying the results with step 4 above. Be careful not to upload any private keys to online AI Tools.Community Guidelines
Welcome to Cato Connect! We’re excited to have you here. Cato Networks created the Cato Connect community to give our customers, partners, and employees a place to discuss and collaborate on Cato and SASE. In order to keep everything running smoothly, we’re following these guidelines and are expecting users to do the same: Do: Stay respectful and be nice – we are all here to problem-solve and learn, keep your comments respectful and avoid vulgar or derogatory speech. Keep it on topic – Cato Networks and SASE provide us plenty of fodder for conversations, let’s stick to those on Cato Connect. Protect your privacy – keep your network and API keys to yourselves, people! Along with your emails, your addresses, or anything you wouldn’t otherwise plaster on the internet. Protect other people’s privacy as well and don’t post it online. I know you know this, but it bears repeating. Keep in mind that this content is user generated – Many of the solutions you’ll find here may very well work for you (and yay), but sometimes, people have their software configured differently. Use your good judgement when implementing solutions found here. Don’t: Post anything illegal – respect the rules of your organization, copyrights, trade secrets, and any nondisclosure agreements you’re beholden to. Lawyers are expensive. Spam – while some forms of spamming may be obvious (we’ve all seen those condo or printer ads on software communities before), some might be a little more obscure. Please refrain from posting your question in multiple forums or the same comment on multiple threads if it’s not relevant. Please do not send unsolicited private messages that are off topic. We will know, and we will moderate you. Solicit business – keep our community clear of posts that are for advertising and soliciting business, trust that if you make yourself famous by answering questions and participating in the community, our smart and attentive members will notice and reach out if they’d like to work with you. Get weird with images – keep images clean and safe-for-work. Inappropriate language or visuals in images are a no-no and we will remove them. We are over the moon that you’ve joined and want to make this experience the best for you! If you see spam or inappropriate behavior, report it. If you need help, come find us. And if you have suggestions for the community, post them here! By participating in these forums, you agree to the Terms of Service for the Cato Connect Community.
