Syntax#
General syntax#
ContentInfo ::= SEQUENCE {
contentType ContentType,
content
[0] EXPLICIT ANY DEFINED BY contentType OPTIONAL }
ContentType ::= OBJECT IDENTIFIER
Data content type#
Data ::= OCTET STRING
Signed-data content type#
SignedData ::= SEQUENCE {
version Version,
digestAlgorithms DigestAlgorithmIdentifiers,
contentInfo ContentInfo,
certificates
[0] IMPLICIT ExtendedCertificatesAndCertificates
OPTIONAL,
crls
[1] IMPLICIT CertificateRevocationLists OPTIONAL,
signerInfos SignerInfos }
DigestAlgorithmIdentifiers ::=
SET OF DigestAlgorithmIdentifier
SignerInfos ::= SET OF SignerInfo
SignerInfo ::= SEQUENCE {
version Version,
issuerAndSerialNumber IssuerAndSerialNumber,
digestAlgorithm DigestAlgorithmIdentifier,
authenticatedAttributes
[0] IMPLICIT Attributes OPTIONAL,
digestEncryptionAlgorithm
DigestEncryptionAlgorithmIdentifier,
encryptedDigest EncryptedDigest,
unauthenticatedAttributes
[1] IMPLICIT Attributes OPTIONAL }
EncryptedDigest ::= OCTET STRING
DigestInfo ::= SEQUENCE {
digestAlgorithm DigestAlgorithmIdentifier,
digest Digest }
Digest ::= OCTET STRING
Enveloped-data content type#
EnvelopedData ::= SEQUENCE {
version Version,
recipientInfos RecipientInfos,
encryptedContentInfo EncryptedContentInfo }
RecipientInfos ::= SET OF RecipientInfo
EncryptedContentInfo ::= SEQUENCE {
contentType ContentType,
contentEncryptionAlgorithm
ContentEncryptionAlgorithmIdentifier,
encryptedContent
[0] IMPLICIT EncryptedContent OPTIONAL }
EncryptedContent ::= OCTET STRING
RecipientInfo ::= SEQUENCE {
version Version,
issuerAndSerialNumber IssuerAndSerialNumber,
keyEncryptionAlgorithm
KeyEncryptionAlgorithmIdentifier,
encryptedKey EncryptedKey }
EncryptedKey ::= OCTET STRING
Signed-and-enveloped-data content type#
SignedAndEnvelopedData ::= SEQUENCE {
version Version,
recipientInfos RecipientInfos,
digestAlgorithms DigestAlgorithmIdentifiers,
encryptedContentInfo EncryptedContentInfo,
certificates
[0] IMPLICIT ExtendedCertificatesAndCertificates
OPTIONAL,
crls
[1] IMPLICIT CertificateRevocationLists OPTIONAL,
signerInfos SignerInfos }
Digested-data content type#
DigestedData ::= SEQUENCE {
version Version,
digestAlgorithm DigestAlgorithmIdentifier,
contentInfo ContentInfo,
digest Digest }
Digest ::= OCTET STRING
Encrypted-data content type#
EncryptedData ::= SEQUENCE {
version Version,
encryptedContentInfo EncryptedContentInfo }
PEM Format#
-----BEGIN PKCS7-----
...
-----END PKCS7-----
Displaying Certificates in PKCS #7#
$ openssl pkcs7 -print_certs -in cert_chain.p7b
subject=/O=EXTERNAL/CN=External CA
issuer=/O=EXTERNAL/CN=External CA
-----BEGIN CERTIFICATE-----
MIIDATCCAemgAwIBAgICciwwDQYJKoZIhvcNAQELBQAwKTERMA8GA1UEChMIRVhU
RVJOQUwxFDASBgNVBAMTC0V4dGVybmFsIENBMB4XDTE2MDcwNTE5MjM0NloXDTE2
MTAwNTE5MjM0NlowKTERMA8GA1UEChMIRVhURVJOQUwxFDASBgNVBAMTC0V4dGVy
bmFsIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5MKJKWw5oVQl
tWt4BKhS04fmGR249+qcZr1HVt8Heo0Sukes6kZgIXA53457JVD1VFqzgkVlZIRZ
8vwnIoDw0t8oMzg72l0WslHtChx3WSHf4dL4UO+l885fDygN8QbJMDSLY51qEtS8
EPZ0gEQQ2KoOL9Alu3lKnHHl9CNLJxD9wclN6YT2vyH044YqjFY0YEKnBk5OC8E1
RNu8NP60ittFQ0Y0NMYsqOfXlKnYBFBb06P5fGgMWfri3Q7VbLCxqX4YYb8w4mQf
7a4RPPhnnSuepmYBgTMzUgSvCSd6v1Zz5qTrK0xugF52WF+MCphBBupm/issdTmM
DNt0eG7zBQIDAQABozMwMTARBglghkgBhvhCAQEEBAMCAAcwDwYDVR0TAQH/BAUw
AwEB/zALBgNVHQ8EBAMCAgQwDQYJKoZIhvcNAQELBQADggEBAEWrG9rIQ9mXVVAf
cezHZcDWZGJwYmM9/A45MwevkLo5mibzs1zadUwdTbD9jJHBDC+UcBgVf/IqtfER
0euntJ/7yN/iVElXjHvjUXTBjOLBhUo6s6Ky+IZot8n+LHe/LuJg4NNyDQsDwfns
ZsCNFri/cx0iy11QZ1fMXyMhK+kIGOdLrVJvLD8nDFgjhWbWqX6WiJVPVec1szHm
BgUJrTR7XSuIUsY/8pIOe3AlAYs8dshYkU/AcasIz8sYr/NHtkIiBVbl/MkU+KnN
Im1GAuc7MqiKfLMtrwEgZzfPG1eFTmNA/wuip1DlwAc3lDDatK3e79AOsuivgLjn
jqW1LYQ=
-----END CERTIFICATE-----
subject=/O=EXAMPLE/CN=CA Signing Certificate
issuer=/O=EXTERNAL/CN=External CA
-----BEGIN CERTIFICATE-----
MIIDFjCCAf6gAwIBAgICNiowDQYJKoZIhvcNAQELBQAwKTERMA8GA1UEChMIRVhU
RVJOQUwxFDASBgNVBAMTC0V4dGVybmFsIENBMB4XDTE2MDcwNTE5MjM0N1oXDTE2
MTAwNTE5MjM0N1owMzEQMA4GA1UEChMHRVhBTVBMRTEfMB0GA1UEAxMWQ0EgU2ln
bmluZyBDZXJ0aWZpY2F0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AKKLxskVmDkJlDfAjr2yztnzU06SKhCq+zGGvoza7fLAbqxsyrKC5kL+yavw9J1L
+0E2HopfwvJuateRS3ZuhtgRS9r+S1bBi/amOGW7ihSWJx8kxSsAMw52qE1YLjV4
IuqL9cGSyqrRGvKkUOG8e1W935NiFFlx52hH9Jo8b+Qt4qY6BCYT3tykhPrmCF3l
+kRJPZE95weUkgKuCxe/JRWkryixMi3wEm8fcWWxzbuRhWEJYCPN0bap95XQXhZv
a4Mw6DQDu7V27cmRjBu1ICsOzUKTMUJKzywcZcNRk/pJN5EZRjq3HLfhW98IvaGt
RWOEUmgZjE9Dn/tI59ilS/ECAwEAAaM+MDwwGQYJKwYBBAGCNxQCBAweCgBTAHUA
YgBDAEEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAcYwDQYJKoZIhvcN
AQELBQADggEBAFwi2fCWQ0UQIe9LRkx6TiRzNJdqIz3Gmt2FtSpqkIQONLfeo0Z6
qqEWWImEf/2roGerwgZxt4ipYdDANn8So/jt3dbdCfJMj67TJ5Mj6YEsr/W+BgNc
c0WIZXKUJ6k6G6qgEfTEBHD3f+3ZOy8rbtFKNTs6DbJ9jzQk52dZzVKwgksrH4fM
AGPd2oyLNp9vjRV8odSoikaJFcEpMc/ExYRqSMCw2ilkrghoNyAjmE1rwSFlBaMW
db0ecnTUw53blojXmZEZkXlSikMlSasyAg5AQ1T2sai02TRFvRKLM3LaXzod3IGI
p4K6OlKDH3JogBc5kEP9ElOnG/7E0rsQjTM=
-----END CERTIFICATE-----
Converting PEM Certificates into PKCS #7#
$ openssl crl2pkcs7 -nocrl -certfile cert1.crt -certfile cert2.crt ... -out cert_chain.p7b
Converting PKCS #7 into PEM Certificates#
$ openssl pkcs7 -print_certs -in cert_chain.p7b | awk '
end_found == 1 {n++; begin_found=0; end_found=0}
/-----BEGIN CERTIFICATE-----/ {begin_found=1}
/-----END CERTIFICATE-----/ {end_found=1}
{if (begin_found && length($0) > 0) print > "cert" (n+1) ".crt"}'