On Ubuntu, I cannot convert certificate using openssl successfully.
vagrant@dev:/vagrant/keys$ openssl pkcs7 -print_certs -in a.p7b -out a.cer
unable to load PKCS7 object <blah blah>:PEM
routines:PEM_read_bio:no start line:pem_lib.c:696:Expecting: PKCS7
Have you seen this error before?
So to combine the above answers, the command is:
openssl pkcs7 -in cert.p7b -inform DER -print_certs -out cert.pem
Verified to be working on Windows, using OpenSSL-Win64
/Thanks Bogdan for spotting the error
I followed this guide that instructs you to change the header/footer lines from
-----BEGIN PKCS #7 SIGNED DATA-----
[data]
-----END PKCS #7 SIGNED DATA-----
to
-----BEGIN CERTIFICATE-----
[data]
-----END CERTIFICATE-----
Then run the command openssl pkcs7 -in foo.modified.crt -print_certs -out foo.certs (where foo.modified.crt is the file that you saved the modified version into). This gave me the same results as running through a Windows certificate export as suggested in other answers.
As far as I know, the following should convert a pkcs7 cert to a pem
openssl pkcs7 -in certificate_file.p7b -print_certs -out cert.pem
quick solution in my case (a lot of files with missing header/footer) :
base64 -d $FILE | openssl pkcs7 -inform DER -print_certs
# Decode base64 encoded string into DER-encoded binary
base64 --decode signature > signature.cer
# Convert DER-encoded binary to PEM-encoded P7B
openssl pkcs7 -inform der -in signature.cer -out signature.p7b
# Convert PEM-encoded P7B to PEM-encoded CRT
openssl pkcs7 -print_certs -in signature.p7b -out signature.crt
# OR: Convert DER-encoded binary to PEM-encoded CRT
openssl pkcs7 -print_certs -inform der -in signature.cer -out signature.crt
# signature.p7b
-----BEGIN PKCS7-----
[...]
-----END PKCS7-----
# signature.crt
subject=[...]
issuer=[...]
-----BEGIN CERTIFICATE-----
[...]
-----END CERTIFICATE-----
# Read contents in PEM-encoded CRT
keytool -printcert -file signature.crt
I had this problem too. I was going to verify a p7b file I copied from a Win7 host.
I found out that gnome keyring can import the certificate. From there it's easy to export to DER
openssl pkcs7 -print_certs -in intermediates.p7b -out intermediates.cer
My source file was in text with -----BEGIN PKCS7----- as the header... This method worked for me while others did not.
If you get the following error:
unable to load PKCS7 object
140368561349952:error:0909006C:PEM routines:get_name:no start line:../crypto/pem/pem_lib.c:745:Expecting: PKCS7
make sure the content of the p7b in below format (-----BEGIN PKCS7----- and -----END PKCS7----- in separate lines).
Before:
-----BEGIN PKCS7-----CONTENT-----END PKCS7-----
After:
-----BEGIN PKCS7-----
CONTENT
-----END PKCS7-----
openssl pkcs7 -print_certs -in domain.p7b -out domain.cer
openssl pkcs12 -export -out domain.pfx -in domain.cer -inkey domain.key -passout pass:REAL_PASSWORD
On a linux(ubuntu) machine (I couldn't succeed on Macosx)
Copy your PKCS7.p7b file as PKCS7.crt
Add -----BEGIN CERTIFICATE----- to the beginning and -----END CERTIFICATE----- to the end of the PKCS7.crt
convert crt to pem
openssl pkcs7 -print_certs -in PKCS7.crt -out fullchain.pem
prepend the domain's certificate(yourdomain.crt) to the fullchain.pem
use it for "ssl_certificate" in your nginx conf
reload nginx (nginx -s reload)
check your domain's certificate via https://www.sslshopper.com/ssl-checker.html
Thanks for the guide at https://www.veritech.net/convert-p7b-certificate-pfx/
