OpenSSL PKCS7 Certificate Utilities

PKCS7 Information

• Extension(s) .p7b, .p7c, .spc, .pem
• A PKCS7 certificate is serialized using either PEM or DER format.
• PKCS7 certificate (or PKCS #7 certificate) is a degenerate form of the PKCS #7 cryptographic message standard defined in RFC 2315. It stores only * X.509 certificates (or possibly a certificate revocation list), with no encrypted data.
• PEM-formatted files have a line that reads "-----BEGIN PKCS7-----" or "-----BEGIN PKCS #7 SIGNED DATA-----" or "-----BEGIN CERTIFICATE-----". However, this does not distinguish them from other PKCS7 data types.

PKCS7 Commands

1. If the contents of the file contains "-----BEGIN CERTIFICATE-----", verify the file is a PKCS7.
   1. # openssl pkcs7 -text -in <certificate>.crt
   2. The output will return a line that reads "-----BEGIN PKCS7-----" or "-----END PKCS7-----".
2. View the contents of a PKCS7 DER-formatted certificate:
   1. # openssl pkcs7 -inform der -noout -text -print_certs -in <certificate>.p7b
3. View the contents of a PKCS7 PEM-formatted certificate.
   1. # openssl pkcs7 -noout -text -print_certs -in <certificate>.p7b
4. Convert a PKCS7 DER-formatted certificate to a PKCS7 PEM-formatted certificate.
   1. # openssl pkcs7 -inform der -in <certificate-der>.p7b -out <certificate-pem>.p7b
5. Convert a PKCS7 PEM-formatted certificate to a PKCS7 DER-formatted certificate.
   1. # openssl pkcs7 -in <certificate-pem>.p7b -outform der -out <certificate-der>.p7b
6. Convert a PKCS7 DER-formatted certificate to an x509 PEM-formatted certificate.
   1. # openssl pkcs7 -inform der -in <certificate-der>.p7b -print_certs -out <certificate-x509>.crt
7. Convert a PKCS7 PEM-formatted certificate to an x509 PEM-formatted certificate.
   1. # openssl pkcs7 -in <certificate-pem>.p7b -print_certs -out <certificate-x509>.crt

Further Reading

1. PEM encoded certificate
2. OpenSSL PKCS7