How to Convert P7B to PEM Using OpenSSL on Ubuntu: Solving “Expecting: PKCS7” Error


3 views

Many developers encounter certificate conversion issues when working with OpenSSL on Linux systems. The error message Expecting: PKCS7 typically appears when OpenSSL can't properly interpret the input file format.

The specific error occurs because OpenSSL expects a different format than what's provided. The complete error looks like:

unable to load PKCS7 object
PEM routines:PEM_read_bio:no start line
pem_lib.c:696:Expecting: PKCS7

Here's the working command sequence that properly handles P7B to PEM conversion:

openssl pkcs7 -in certificate.p7b -print_certs -out certificate.pem

For DER-encoded P7B files (common in Windows exports), use:

openssl pkcs7 -inform der -in certificate.p7b -print_certs -out certificate.pem

If you still encounter issues, try these diagnostic steps:

# Check file type
file yourfile.p7b

# View raw content
head -n 5 yourfile.p7b

Sometimes the file might actually be in PKCS#12 format, which requires different handling:

openssl pkcs12 -in file.p12 -out file.pem -nodes

Here's a full workflow that handles intermediate CA certificates:

# Convert P7B to PEM
openssl pkcs7 -in chain.p7b -print_certs -out chain.pem

# Extract leaf certificate
openssl x509 -in chain.pem -out leaf.crt

# Extract CA bundle
sed -n '/-----BEGIN CERTIFICATE-----/{:start /-----END CERTIFICATE-----/!{N;b start};/.*/p}' chain.pem > ca-bundle.crt

After conversion, always verify the output:

openssl x509 -in certificate.pem -text -noout

Check for proper certificate chain:

openssl verify -CAfile ca-bundle.crt leaf.crt

When working with certificate chains in Ubuntu environments, you might encounter this frustrating OpenSSL error while converting P7B files:

vagrant@dev:/vagrant/keys$ openssl pkcs7 -print_certs -in a.p7b -out a.cer 
unable to load PKCS7 object: PEM routines:PEM_read_bio:no start line:pem_lib.c:696:Expecting: PKCS7

This typically occurs when:
1. The input file contains malformed PKCS7 data
2. The file is actually in DER format but OpenSSL expects PEM
3. The certificate chain has improper encapsulation

Method 1: Try with -inform DER flag

Many P7B files are distributed in DER format:

openssl pkcs7 -inform DER -print_certs -in certificate.p7b -out certificate.pem

Method 2: Verify and Convert Binary P7B

First check if it's binary:

file certificate.p7b

If it shows "data", force DER format:

openssl pkcs7 -inform DER -in certificate.p7b -out certificate.pem -print_certs

Method 3: Alternative Conversion Path

For stubborn files, try this two-step process:

openssl pkcs7 -print_certs -in certificate.p7b -out intermediate.pem
openssl x509 -in intermediate.pem -out final_certificate.pem

If you're still having issues:

  • Verify the P7B contains valid certificates: openssl asn1parse -in file.p7b -inform DER
  • Check for file corruption: openssl pkcs7 -in file.p7b -inform DER -noout -text
  • Try different OpenSSL versions (1.1.1 vs 3.0)

Here's how we fixed a production certificate chain:

# First convert the chain
openssl pkcs7 -inform DER -in chain.p7b -print_certs > fullchain.pem

# Then extract individual certs
awk '/BEGIN CERT/{n++}{print > "cert" n ".pem"}' fullchain.pem