如何从给定主题的p12中提取证书

Question

我有一个包含以下证书的p12文件，我试图提取带有subject DC=com.ibm.ws.collective/O=.*/OU=controllerRoot (列表中的最后一个)的证书以导入信任存储(另一个p12)

$> openssl pkcs12 -in resources/collective/rootKeys.p12 -clcerts -nokeys -info
MAC Iteration 1024
MAC verified OK
PKCS7 Data
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 1024
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 1024
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 1024
Certificate bag
Bag Attributes
    friendlyName: memberroot
    localKeyID: 54 69 6D 65 20 31 36 35 35 33 35 31 36 39 32 36 39 37
    1.3.18.0.2.28.24: IBM_SDK_JAVA_8_PKCS12
subject=/DC=com.ibm.ws.collective/O=b8735147-4d21-4cc1-9711-6edee0c7680f/OU=member/L=10.153.34.33/L=%2Fopt%2Fibm%2Fwlp%2Fusr/CN=controller-2
issuer=/DC=com.ibm.ws.collective/O=b8735147-4d21-4cc1-9711-6edee0c7680f/OU=memberRoot
-----BEGIN CERTIFICATE-----
MIIDxTCCAq2gAwIBAgIGFnVwnmf5MA0GCSqGSIb3DQEBCwUAMGsxJTAjBgoJkiaJ
k/IsZAEZFhVjb20uaWJtLndzLmNvbGxlY3RpdmUxLTArBgNVBAoTJGI4NzM1MTQ3
LTRkMjEtNGNjMS05NzExLTZlZGVlMGM3NjgwZjETMBEGA1UECxMKbWVtYmVyUm9v
dDAeFw0yMjA2MTYwMzU0NTJaFw0yNzA2MTUwMzU0NTJaMIG4MSUwIwYKCZImiZPy
LGQBGRYVY29tLmlibS53cy5jb2xsZWN0aXZlMS0wKwYDVQQKEyRiODczNTE0Ny00
ZDIxLTRjYzEtOTcxMS02ZWRlZTBjNzY4MGYxDzANBgNVBAsTBm1lbWJlcjEVMBMG
A1UEBxMMMTAuMTUzLjM0LjMzMSEwHwYDVQQHDBglMkZvcHQlMkZpYm0lMkZ3bHAl
MkZ1c3IxFTATBgNVBAMTDGNvbnRyb2xsZXItMjCCASIwDQYJKoZIhvcNAQEBBQAD
ggEPADCCAQoCggEBANT1Kd+LR78YE+Wv4gMnXC5N50TEzK5OTjhhu/W9W1mvS4nh
beu5yiAYnF31/x3Wuj48goixXKjYwWjeaMfwuYFbb/fdh4dg0CjYGfbmnh6dXskU
LlrmCwQYvnolUxw6TAaJPIg0hjCHA3D5amjrMLwlpFBGG0jOybvzXgwpl213eZvL
AMc2Cm3OAaJ7Xj13pUfT9YafQrCR1AiwEtZXijSV1k4Bf8BYwQABOYu2MW2vRfPm
7bkqQl9G3wdS5HCIGDHlfYKy5ptzxxhHpEbTHDhIkAipFtkFFKpu9g7CErzKfKOh
WoubEmiTYCHlQBWJ1nuAIGjoui4cEX5cPJF+8T0CAwEAAaMhMB8wHQYDVR0OBBYE
FHy4X2lxE6F2OXUAcHQAV/KmiJw3MA0GCSqGSIb3DQEBCwUAA4IBAQCRk05F/Cg7
PbU3xnkIORJhVlgkzctXAs2tL/UvNuOXovluAJTMMRqXrDN8LpcL9PHOI6gpHtyW
DPLX3MDSw/TcPEMUGAvdLFYgTo5WAZyGkuXr1/7u3MfsKWBxu6XxzkRewgIonhR9
2oqUeqRvAmkBJ2oKZq2qE2Z0se5ZP9+a+31n7C/sHKELe+GlAyyioz9C9putNk61
ACAaiJO84kiJcq6tFCuEX9xVxLb75eCfvE2VMTKrvUXAJw+vU0Wa2ofhxlL4PaB8
kgGxi+HFAn3A5UpWiIR2FXvTUsQX9t1fuzwhgLlbhMav6Qieoyj3iQb/qc87y00j
pkuzOgMB0rOb
-----END CERTIFICATE-----
Certificate bag
Bag Attributes
    friendlyName: memberroot
    localKeyID: 54 69 6D 65 20 31 36 35 35 33 35 31 36 39 32 36 39 37
    1.3.18.0.2.28.24: IBM_SDK_JAVA_8_PKCS12
subject=/DC=com.ibm.ws.collective/O=b8735147-4d21-4cc1-9711-6edee0c7680f/OU=memberRoot
issuer=/DC=com.ibm.ws.collective/O=b8735147-4d21-4cc1-9711-6edee0c7680f/OU=memberRoot
-----BEGIN CERTIFICATE-----
MIIDiDCCAnCgAwIBAgIGFXQZJgx8MA0GCSqGSIb3DQEBCwUAMGsxJTAjBgoJkiaJ
k/IsZAEZFhVjb20uaWJtLndzLmNvbGxlY3RpdmUxLTArBgNVBAoTJGI4NzM1MTQ3
LTRkMjEtNGNjMS05NzExLTZlZGVlMGM3NjgwZjETMBEGA1UECxMKbWVtYmVyUm9v
dDAeFw0yMjA2MTYwMzM2MjdaFw00NzA2MTAwMzM2MjdaMGsxJTAjBgoJkiaJk/Is
ZAEZFhVjb20uaWJtLndzLmNvbGxlY3RpdmUxLTArBgNVBAoTJGI4NzM1MTQ3LTRk
MjEtNGNjMS05NzExLTZlZGVlMGM3NjgwZjETMBEGA1UECxMKbWVtYmVyUm9vdDCC
ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALzjG8WacAT6Y/yVo6EbMlu0
lSn8pSEO1fWSgJye5/Sfors1Py53Y5hmjhMKGBh1kkJl5PllwHJkZhm+rb49tV3D
15DRBihxm77gODNnmEQVLkVU9gjWWglPwBAruFVD6wL88trrvmm7+9eRWbkQoRSM
i7daIMrsZ0MMubGh/UbPAWFOl/0S5NufGF32npOfwEkebbVY9Mbw9j728e4Wo9jT
peQ4idqK/TLunBHof68KpxGVhslTOaws3qu9JMgsbVcSoYrLeORGDFM+dejvPtAu
R2DPum6w0EG7awLI2mGBDYJwSTwNB7Cj6g/Pf3aZ0ka4quxPNT25EONRFzDaO4sC
AwEAAaMyMDAwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUk0wdoaxREu0kcDID
QwVLBzWdevswDQYJKoZIhvcNAQELBQADggEBAHXZpXbIh60ZrDfcM9A+lCBUcjU5
WBS6frQfWFB4o5XnC4QYww9N2OL+XynfE8KNeemFYs+258gF8mqkUF8MUet3GhgU
Dsg39uTiNvXlL94osZXOgnag72yomwiukRKurzs81mTeUWeoQa61nw6Qy+N0cZje
R9U40C9mWcytXIrgk0qRrXDr+CUjgSQ1yGkFT5TjvkFetctULoqDD0fS79tuwZEp
Str7hSJ4HpQokfPYKeH8S6NcvM7Oni49ydYYgh08mbWCAYzLIr7TnQK91hxUgLi4
xwtww75VAXwwZm5sz9iH1xo38C2pnARwFgzvFWNpUJErR4+Ee5hzyJRMlUM=
-----END CERTIFICATE-----
Certificate bag
Bag Attributes
    friendlyName: controllerroot
    localKeyID: 54 69 6D 65 20 31 36 35 35 33 35 31 36 39 32 39 38 38
    1.3.18.0.2.28.24: IBM_SDK_JAVA_8_PKCS12
subject=/DC=com.ibm.ws.collective/O=b8735147-4d21-4cc1-9711-6edee0c7680f/OU=member/L=10.153.34.33/L=%2Fopt%2Fibm%2Fwlp%2Fusr/CN=controller-2
issuer=/DC=com.ibm.ws.collective/O=b8735147-4d21-4cc1-9711-6edee0c7680f/OU=controllerRoot
-----BEGIN CERTIFICATE-----
MIIDyTCCArGgAwIBAgIGFnWBeNQ0MA0GCSqGSIb3DQEBCwUAMG8xJTAjBgoJkiaJ
k/IsZAEZFhVjb20uaWJtLndzLmNvbGxlY3RpdmUxLTArBgNVBAoTJGI4NzM1MTQ3
LTRkMjEtNGNjMS05NzExLTZlZGVlMGM3NjgwZjEXMBUGA1UECxMOY29udHJvbGxl
clJvb3QwHhcNMjIwNjE2MDM1NDUyWhcNMjcwNjE1MDM1NDUyWjCBuDElMCMGCgmS
JomT8ixkARkWFWNvbS5pYm0ud3MuY29sbGVjdGl2ZTEtMCsGA1UEChMkYjg3MzUx
NDctNGQyMS00Y2MxLTk3MTEtNmVkZWUwYzc2ODBmMQ8wDQYDVQQLEwZtZW1iZXIx
FTATBgNVBAcTDDEwLjE1My4zNC4zMzEhMB8GA1UEBwwYJTJGb3B0JTJGaWJtJTJG
d2xwJTJGdXNyMRUwEwYDVQQDEwxjb250cm9sbGVyLTIwggEiMA0GCSqGSIb3DQEB
AQUAA4IBDwAwggEKAoIBAQCO0/7oZ4uuO1+gw2YLUww2Jbr2gDblSc060+OSs/yH
P/rIpASHLvU28qgE0ob+Z9xq9VyDTMR56iz8VsM0NT/rctbTuYgzgYmgsQpUu+uz
rzEMfg/gRzgnllHUDzTo9EgAMCPUWV4Kyk+YyTpFR15j8BFS0BFjpXT2+nQWcCWW
YGMM0wHFowbe+3l02vOjPL5f7tkOZ9JruhnMtvOGJianbsicka0Dqwh4F9hUbm0I
SGc5ZcaGD2G2wsqZokS2Olvz5DYp13WV2JewJAz7fay4T8EYyPnpIcnaQGilVF0B
Mv8whKpQyNfR5p5U7zRIuwVMeWap+KBKUMOe6r83jyZ7AgMBAAGjITAfMB0GA1Ud
DgQWBBTGd+XR+jNJ2XgsGiZqvkWhENO+mDANBgkqhkiG9w0BAQsFAAOCAQEAfWXM
lSSu1NWSfxSv/AmbQO/bZOvKcBqN1RfkWKEOgOFvICj2wepa7u7hVSWwZ6IEZWfa
PUfseV+431hdaoBKWlpMDINDh4XWYBzQw8h5ZPKy8Co3BsAxqg9ufKihknbbBkVp
xS7bOBp/TuJT4ULb+1bBMtFryL3mNeeO/V1pDsZJkLBzNjQfC7rvOfbjtmRG8SPU
F4Pc6ugZlhyuH8oo+5apZEpFediR5cXF/osa75qpAZbuLpJJSF+6Ho++TtKvZZiT
oyHo5993xVtTX1RTpjJBVceXFYprbtxfW3S2oR5NqVabd1HA8YTCBPdzcyq8vVn6
c+LyR7z6+2Vy9uLVpg==
-----END CERTIFICATE-----
Certificate bag
Bag Attributes
    friendlyName: controllerroot
    localKeyID: 54 69 6D 65 20 31 36 35 35 33 35 31 36 39 32 39 38 38
    1.3.18.0.2.28.24: IBM_SDK_JAVA_8_PKCS12
subject=/DC=com.ibm.ws.collective/O=b8735147-4d21-4cc1-9711-6edee0c7680f/OU=controllerRoot
issuer=/DC=com.ibm.ws.collective/O=b8735147-4d21-4cc1-9711-6edee0c7680f/OU=controllerRoot
-----BEGIN CERTIFICATE-----
MIIDkDCCAnigAwIBAgIGFXQBEJ1VMA0GCSqGSIb3DQEBCwUAMG8xJTAjBgoJkiaJ
k/IsZAEZFhVjb20uaWJtLndzLmNvbGxlY3RpdmUxLTArBgNVBAoTJGI4NzM1MTQ3
LTRkMjEtNGNjMS05NzExLTZlZGVlMGM3NjgwZjEXMBUGA1UECxMOY29udHJvbGxl
clJvb3QwHhcNMjIwNjE2MDMzNjI3WhcNNDcwNjEwMDMzNjI3WjBvMSUwIwYKCZIm
iZPyLGQBGRYVY29tLmlibS53cy5jb2xsZWN0aXZlMS0wKwYDVQQKEyRiODczNTE0
Ny00ZDIxLTRjYzEtOTcxMS02ZWRlZTBjNzY4MGYxFzAVBgNVBAsTDmNvbnRyb2xs
ZXJSb290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnn6fZzzwfZol
ToZW2nbrFG3NshxuBHSQ4cHPfZeJfC6Yksw9jSzX0ZOKbYgo2VnPRqtvr1P9jNrE
4kQy0ej2actIheOnBz+n+0hP/HvkeqLIdkWb2swWehzUp5Ed7iglZSn1WBvvBNM0
G/UsY2kCaqpbBljuEzqAYmOhLewtWq0w0GgUymA1k7YkIhF5AqXsIK3BMWjk5kyM
FwxmXogdRCewIPNHq95eVeWs60N07sn+b4K84QqbyvAfNcsW7vfzeWgDEG6dGrJO
lK0QpXHtb9OD08OFPqQb/6cRXzy+NUQKJP3x6eQ5UjrjiG2zUIwTBMmoeFTYWWzv
hQMzYOl+SQIDAQABozIwMDAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTrKLke
SpIao2L6HOJecnPZY9drkjANBgkqhkiG9w0BAQsFAAOCAQEAD7WGLRXlL2FFVI7u
MSItv2qXCkEzfzZPoPzzpzOxfibpgEYQUqvPo1ZBroogKrMFXZ7iXbcSQ2ECYURf
Q++NLQVx+8RLlvrDh6puiLrsyo9bS+KcRl/EYMuoITPZTwyNgktH5kBXRCgCyksa
wiXmsvKdbwNJzIzUacCoyoXies2ScXlX7iy1/reJAj0cP4r84w1S0ITAo9E55BVV
LLuGaqGjQ66Y6b44xl19CR3hyvBz13tMaOAr7cjx26TaWzD3/M/MpoX1McOEkJ/g
X7xVQmqeeSgFdHIrE2RC3XqEHiUIfgRf+O/1xr6nPXZGgf/np5oJkXk4hcZB4/p7
Hnp7vA==
-----END CERTIFICATE-----

我用keytool试过这个，但它提取了第二个

keytool -exportcert -rfc -keystore resources/collective/rootKeys.p12 -storetype PKCS12 -alias controllerroot -file rootcert.crt

我很少尝试使用openssl，但都没有成功。有人能帮我提取证书，无论是使用keytool还是openssl。

Answer 1

如果PowerShell是一个选项，那么可以使用以下脚本从PEM输出中提取最后一个证书：

[cmdletbinding()]
Param (
    [Parameter(Mandatory=$true,ValueFromPipeline=$true,HelpMessage="PEM input")]
    [AllowEmptyString()]
    [string[]]$InputValue
)

Begin {
    [string]$capture = $null
    [string]$result = $null
}

Process {
    if ('-----BEGIN CERTIFICATE-----' -eq $InputValue) {
        $capture = $InputValue + "`r`n"
    } elseif ('-----END CERTIFICATE-----' -eq $InputValue) {
        $result = $capture + $InputValue
        $capture = $null
    } elseif ($capture) {
        $capture += $InputValue + "`r`n"
    }
}

End {
    $result
}

只要稍加修改，就可以使用以下脚本从PEM中提取所有根CA证书：

[cmdletbinding()]
Param (
    [Parameter(Mandatory=$true,ValueFromPipeline=$true,HelpMessage="PEM input")]
    [AllowEmptyString()]
    [string[]]$InputValue
)

Begin {
    [bool]$isCA = $false
    [string]$subj = $null
    [string]$capture = $null
    [string[]]$result = $null
}

Process {
    if ([string]$InputValue -match '^subject=(.*)') {
        $subj = $Matches[1]
    } elseif ([string]$InputValue -match '^issuer=(.*)') {
        $isCA = ($subj -eq $Matches[1])
    }

    if ($isCA) {
        if ('-----BEGIN CERTIFICATE-----' -eq $InputValue) {
            $capture = $InputValue + "`r`n"
        } elseif ('-----END CERTIFICATE-----' -eq $InputValue) {
            $result += $capture + $InputValue
            $capture = $null
            $isCA = $false
        } elseif ($capture) {
            $capture += $InputValue + "`r`n"
        }
    }
}

End {
    $result
}

要使用，请将上述任何一个保存到PowerShell .ps1脚本文件中，打开PowerShell会话，然后将openssl输出输送到.ps1脚本，并将输出重定向到新的证书文件。例如：

openssl pkcs12 -in resources/collective/rootKeys.p12 -clcerts -nokeys -info | .\Get-LastPEMCert.ps1 > last.cer

其中：Get-LastPEMCert.ps1是上面的第一个PowerShell脚本；last.cer将包含来自PEM OpenSSL输出的最后一个列出的证书。

否则，您可以使用cat、sed和/或awk。例如，see this或these answers。

Answer 2

由于我没有找到openssl或keytool的解决方案，所以我尝试使用sed，如下所示。

openssl pkcs12 -in resources/collective/rootKeys.p12 -clcerts -nokeys -info | sed -i '/subject=\/DC=com.ibm.ws.collective\/O=.*\/OU=controllerRoot/,/END CERTIFICATE/p' all.crt | sed -n '/BEGIN CERTIFICATE/,/END CERTIFICATE/p' | tee expected.crt