I am trying to export a public certificate from a pkcs12 trust store. The trust store does NOT contain a private key. It only contains the public certificate (e.g. to be used as trustore on clients)
I have tried:
openssl pkcs12 \
-in /home/user/certs/truststore.pkcs12 \
-out /home/user/certs/capath/ca.cert.pem \
-nodes
Which seems to work fine. The content of ca.cert.pem
looks like this:
Bag Attributes
friendlyName: x.x.x
......: <Unsupported tag 6>
subject=...
issuer=...
-----BEGIN CERTIFICATE-----
MIIEaTCCA1GgAwIBAgILBAAAAAABRE7wQkcwDQYJKoZIhvcNAQELBQAwVzELMAkG
...
K1pp74P1S8SqtCr4fKGxhZSM9AyHDPSsQPhZSZg=
-----END CERTIFICATE-----
Bag Attributes
friendlyName: y.y.y
....... <Unsupported tag 6>
subject=...
issuer=....
-----BEGIN CERTIFICATE-----
MIIGiDCCBXCgAwIBAgIMXYEkb13q+Kq7F8oaMA0GCSqGSIb3DQEBCwUAMFAxCzAJ
...
2W0U+HwiE1gsiD2f+qLpEnEHdMhvT8vWE4WueqaV71eYg3Yi7jYENmmZzQ0=
-----END CERTIFICATE-----
But if I instead (based on: Converting PKCS#12 certificate into PEM using OpenSSL) do:
openssl pkcs12 \
-in /home/user/certs/truststore.pkcs12 \
-out /home/user/certs/capath/ca.cert.another.pem \
-clcerts \
-nokeys
The generated ca.cert.another.pem
file is just empty.
Is the reason for this that the latter approach assumes the truststore contains a private key?