How to Extract and View All Certificates from a PEM Bundle Using OpenSSL


3 views

When working with SSL/TLS certificate bundles (typically .crt or .pem files), you'll often encounter files containing multiple certificates concatenated together. A common frustration occurs when using basic OpenSSL commands that only display the first certificate in the chain.

A typical certificate bundle contains:

-----BEGIN CERTIFICATE-----
[Leaf Certificate]
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
[Intermediate CA]
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
[Root CA]
-----END CERTIFICATE-----

To view all certificates in the bundle, use this OpenSSL command sequence:

openssl crl2pkcs7 -nocrl -certfile bundle.crt | openssl pkcs7 -print_certs -text -noout

Alternatively, for more granular control:

# Count certificates in bundle
openssl crl2pkcs7 -nocrl -certfile bundle.crt | openssl pkcs7 -print_certs | grep -c "BEGIN CERTIFICATE"

# Extract each certificate individually
awk '/BEGIN CERT/{i++}{print > "cert"i".pem"}' bundle.crt

Let's process a sample bundle with 3 certificates:

$ openssl crl2pkcs7 -nocrl -certfile bundle.crt | openssl pkcs7 -print_certs -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1234567890 (0x499602d2)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, O = Let's Encrypt, CN = R3
        Validity
            Not Before: Jan  1 00:00:00 2023 GMT
            Not After : Apr  1 00:00:00 2023 GMT
        Subject: CN = example.com
...
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1234567890 (0x499602d2)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, O = Internet Security Research Group, CN = ISRG Root X1
        Validity
            Not Before: Jun  4 11:04:38 2015 GMT
            Not After : Jun  4 11:04:38 2035 GMT
        Subject: C = US, O = Let's Encrypt, CN = R3
...

For those working with different certificate formats:

# For PKCS#7 bundles (.p7b)
openssl pkcs7 -in bundle.p7b -print_certs -text -noout

# For DER encoded certificates
openssl x509 -inform der -in bundle.der -text -noout

Create a bash function for your shell:

viewcerts() {
    if [ -z "$1" ]; then
        echo "Usage: viewcerts "
        return 1
    fi
    openssl crl2pkcs7 -nocrl -certfile "$1" | openssl pkcs7 -print_certs -text -noout
}

Add this to your ~/.bashrc or ~/.zshrc for permanent access.

When working with SSL/TLS certificates, you'll often encounter certificate bundles (typically with .crt, .pem, or .bundle extensions). These files contain multiple certificates concatenated together - usually including the end-entity certificate, intermediate certificates, and sometimes the root certificate.

The standard command:

openssl x509 -in bundle.crt -text -noout

only shows the first certificate in the file because x509 by default processes just one certificate. This can be frustrating when you need to inspect all certificates in the bundle.

Here are several methods to view all certificates in a bundle:

Method 1: Using openssl crl2pkcs7

openssl crl2pkcs7 -nocrl -certfile bundle.crt | openssl pkcs7 -print_certs -text -noout

This converts the certificates to PKCS#7 format then displays them all.

Method 2: Parsing with awk

awk '/BEGIN CERT/{i++} {print > "cert" i ".pem"}' bundle.crt
for cert in cert*.pem; do
    openssl x509 -in "$cert" -text -noout
    echo "------------------------"
done
rm cert*.pem

This splits the bundle into individual files then processes each one.

Method 3: Using grep and while loop

grep -n 'BEGIN CERTIFICATE' bundle.crt | cut -d : -f 1 | \
while read -r line; do
    tail -n +"$line" bundle.crt | \
    openssl x509 -noout -text | head -n 20
    echo "------------------------"
done

If you prefer GUI tools:

  • OpenSSL s_client: openssl s_client -showcerts -connect example.com:443
  • certtool (from GnuTLS): certtool --certificate-info --infile bundle.crt

Let's say you have a bundle with three certificates:

-----BEGIN CERTIFICATE-----
[Certificate 1]
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
[Certificate 2]
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
[Certificate 3]
-----END CERTIFICATE-----

Using Method 1 would display all three certificates with their full details, including subject, issuer, validity periods, and extensions.

To verify the chain is complete and properly ordered:

openssl verify -untrusted bundle.crt end-entity.crt

This helps ensure your bundle contains all necessary intermediates in the correct order.