How can I split a CA certificate bundle into separate files?
You can split the bundle with awk
, like this, in an appropriate directory:
awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert." c ".pem"}' < ca-bundle.pem
Then, create the links OpenSSL wants by running the c_rehash
utility that comes with OpenSSL:
c_rehash .
Note: use 'gawk' on non linux-platforms - as above relies on a GNU specific feature.
The following Ruby-script will split the bundle (with one or more certificates in it) into files named after the hashes -- side-stepping the c_rehash
step in most cases.
To use, cd
into the right directory (such as /etc/ssl/certs/
) and run the script with the path to your certificate bundle as the sole argument. For example: ruby /tmp/split-certificates.rb ca-root-nss.crt
.
#!/usr/bin/env rubyrequire 'openssl'blob = IO.binread(ARGV[0]) # Read the entire file at onceDELIMITER = "\n-----END CERTIFICATE-----\n"blobs = blob.split(DELIMITER)blobs.each do |blob| blob.strip! blob += DELIMITER # Does not break DER begin cert = OpenSSL::X509::Certificate.new blob rescue puts "Skipping what seems like junk" next end begin # XXX Need to handle clashes, suffix other than 0 filename=sprintf("%x.0", cert.subject.hash) File.open(filename, File::WRONLY|File::CREAT|File::EXCL) do |f| f.write(blob) end rescue Errno::EEXIST puts "#{filename} already exists, skipping" endend