PKI Certificate File ASN.1 Parser

This section provides a quick introduction on ASN.1 parsers, which can be used to parse PKI certificates back to ASN.1 data structure.

If you want to see the ASN.1 data structure in PKI certificates, you need to use a ASN.1 parser like the "openssl asn1parse" command.

Here is the ASN.1 data structure printed out by the "openssl asn1parse" command for the same certificate from the previous tutorial:

herong$ openssl asn1parse -inform DER -in ISRG-Root-X2.der

  0:d=0  hl=4 l= 539 cons: SEQUENCE
  4:d=1  hl=4 l= 417 cons: SEQUENCE
  8:d=2  hl=2 l=   3 cons: cont [ 0 ]
 10:d=3  hl=2 l=   1 prim: INTEGER           :02
 13:d=2  hl=2 l=  16 prim: INTEGER           :41D29DD172EAEEA780C12C6CE92F8752
 31:d=2  hl=2 l=  10 cons: SEQUENCE
 33:d=3  hl=2 l=   8 prim: OBJECT            :ecdsa-with-SHA384
 43:d=2  hl=2 l=  79 cons: SEQUENCE
 45:d=3  hl=2 l=  11 cons: SET
 47:d=4  hl=2 l=   9 cons: SEQUENCE
 49:d=5  hl=2 l=   3 prim: OBJECT            :countryName
 54:d=5  hl=2 l=   2 prim: PRINTABLESTRING   :US
 58:d=3  hl=2 l=  41 cons: SET
 60:d=4  hl=2 l=  39 cons: SEQUENCE
 62:d=5  hl=2 l=   3 prim: OBJECT            :organizationName
 67:d=5  hl=2 l=  32 prim: PRINTABLESTRING   :Internet Security Research Group
101:d=3  hl=2 l=  21 cons: SET
103:d=4  hl=2 l=  19 cons: SEQUENCE
105:d=5  hl=2 l=   3 prim: OBJECT            :commonName
110:d=5  hl=2 l=  12 prim: PRINTABLESTRING   :ISRG Root X2
124:d=2  hl=2 l=  30 cons: SEQUENCE
126:d=3  hl=2 l=  13 prim: UTCTIME           :200904000000Z
141:d=3  hl=2 l=  13 prim: UTCTIME           :400917160000Z
156:d=2  hl=2 l=  79 cons: SEQUENCE
158:d=3  hl=2 l=  11 cons: SET
160:d=4  hl=2 l=   9 cons: SEQUENCE
162:d=5  hl=2 l=   3 prim: OBJECT            :countryName
167:d=5  hl=2 l=   2 prim: PRINTABLESTRING   :US
171:d=3  hl=2 l=  41 cons: SET
173:d=4  hl=2 l=  39 cons: SEQUENCE
175:d=5  hl=2 l=   3 prim: OBJECT            :organizationName
180:d=5  hl=2 l=  32 prim: PRINTABLESTRING   :Internet Security Research Group
214:d=3  hl=2 l=  21 cons: SET
216:d=4  hl=2 l=  19 cons: SEQUENCE
218:d=5  hl=2 l=   3 prim: OBJECT            :commonName
223:d=5  hl=2 l=  12 prim: PRINTABLESTRING   :ISRG Root X2
237:d=2  hl=2 l= 118 cons: SEQUENCE
239:d=3  hl=2 l=  16 cons: SEQUENCE
241:d=4  hl=2 l=   7 prim: OBJECT            :id-ecPublicKey
250:d=4  hl=2 l=   5 prim: OBJECT            :secp384r1
257:d=3  hl=2 l=  98 prim: BIT STRING
357:d=2  hl=2 l=  66 cons: cont [ 3 ]
359:d=3  hl=2 l=  64 cons: SEQUENCE
361:d=4  hl=2 l=  14 cons: SEQUENCE
363:d=5  hl=2 l=   3 prim: OBJECT            :X509v3 Key Usage
368:d=5  hl=2 l=   1 prim: BOOLEAN           :255
371:d=5  hl=2 l=   4 prim: OCTET STRING      [HEX DUMP]:03020106
377:d=4  hl=2 l=  15 cons: SEQUENCE
379:d=5  hl=2 l=   3 prim: OBJECT            :X509v3 Basic Constraints
384:d=5  hl=2 l=   1 prim: BOOLEAN           :255
387:d=5  hl=2 l=   5 prim: OCTET STRING      [HEX DUMP]:30030101FF
394:d=4  hl=2 l=  29 cons: SEQUENCE
396:d=5  hl=2 l=   3 prim: OBJECT            :X509v3 Subject Key Identifier
401:d=5  hl=2 l=  22 prim: OCTET STRING      [HEX DUMP]:04147C4296AEDE4B483BF...
425:d=1  hl=2 l=  10 cons: SEQUENCE
427:d=2  hl=2 l=   8 prim: OBJECT            :ecdsa-with-SHA384
437:d=1  hl=2 l= 104 prim: BIT STRING

There is also a good online ASN.1 parser at holtstrom.com/michael/tools/asn1decoder.php. You can follow their instructions to parse PKI certificates in DER or PEM format.

ASN.1 Online Parser for PKI Certificates
ASN.1 Online Parser for PKI Certificates

The output of this parser has a much better format than the "openssl asn1parse" command. See the output below for the same certificate from the previous tutorial:

U.P.SEQUENCE {
   U.P.SEQUENCE {
      [C.P.0] {
         U.P.INTEGER 0x02 (2 decimal)
      }
      U.P.INTEGER 0x41d29dd172eaeea780c12c6ce92f8752
      U.P.SEQUENCE {
         U.P.OBJECTIDENTIFIER 1.2.840.10045.4.3.3 (ecdsa-with-SHA384)
      }
      U.P.SEQUENCE {
         U.P.SET {
            U.P.SEQUENCE {
               U.P.OBJECTIDENTIFIER 2.5.4.6 (countryName)
               U.P.PrintableString 'US'
            }
         }
         U.P.SET {
            U.P.SEQUENCE {
               U.P.OBJECTIDENTIFIER 2.5.4.10 (organizationName)
               U.P.PrintableString 'Internet Security Research Group'
            }
         }
         U.P.SET {
            U.P.SEQUENCE {
               U.P.OBJECTIDENTIFIER 2.5.4.3 (commonName)
               U.P.PrintableString 'ISRG Root X2'
            }
         }
      }
      U.P.SEQUENCE {
         U.P.UTCTime '200904000000Z'
         U.P.UTCTime '400917160000Z'
      }
      U.P.SEQUENCE {
         U.P.SET {
            U.P.SEQUENCE {
               U.P.OBJECTIDENTIFIER 2.5.4.6 (countryName)
               U.P.PrintableString 'US'
            }
         }
         U.P.SET {
            U.P.SEQUENCE {
               U.P.OBJECTIDENTIFIER 2.5.4.10 (organizationName)
               U.P.PrintableString 'Internet Security Research Group'
            }
         }
         U.P.SET {
            U.P.SEQUENCE {
               U.P.OBJECTIDENTIFIER 2.5.4.3 (commonName)
               U.P.PrintableString 'ISRG Root X2'
            }
         }
      }
      U.P.SEQUENCE {
         U.P.SEQUENCE {
            U.P.OBJECTIDENTIFIER 1.2.840.10045.2.1 (ecPublicKey)
            U.P.OBJECTIDENTIFIER 1.3.132.0.34 (P-384)
         }
         U.P.BITSTRING         # 0004cd9bd59f80830aec094af3164a3e5ccf77acde...
04cd9bd59f80830aec094af3164a3e5ccf77acde67050d1d07b6dc16fb5a8b14dbe27160c4b...
      }
      [C.P.3] {
         U.P.SEQUENCE {
            U.P.SEQUENCE {
               U.P.OBJECTIDENTIFIER 2.5.29.15 (KeyUsage (b0:digitalSignature b1:...))
               U.P.BOOLEAN TRUE
               U.P.OCTETSTRING         # 03020106
                  U.P.BITSTRING 110 : 1 unused bit(s);

            }
            U.P.SEQUENCE {
               U.P.OBJECTIDENTIFIER 2.5.29.19 (basicConstraints)
               U.P.BOOLEAN TRUE
               U.P.OCTETSTRING         # 30030101ff
                  U.P.SEQUENCE {
                     U.P.BOOLEAN TRUE
                  }

            }
            U.P.SEQUENCE {
               U.P.OBJECTIDENTIFIER 2.5.29.14 (subjectKeyIdentifier)
               U.P.OCTETSTRING         # 04147c4296aede4b483bfa92f89e8ccf6d8ba9723795
                  U.P.OCTETSTRING 7c4296aede4b483bfa92f89e8ccf6d8ba9723795

            }
         }
      }
   }
   U.P.SEQUENCE {
      U.P.OBJECTIDENTIFIER 1.2.840.10045.4.3.3 (ecdsa-with-SHA384)
   }
   U.P.BITSTRING         # 00306502307b794e465084c24487461b4570ff5899def4fd...
      U.P.SEQUENCE {
         U.P.INTEGER 0x7b794e465084c24487461b4570ff5899def4fda4d255a6202d74...
         U.P.INTEGER 0x008bf5776cd4c865aae00b2cee149d2737a4f953a551e42983d7...
      } : 0 unused bit(s);
}

Note that ASN.1 parsers only show you ASN.1 data type names and their associated values. They do not generate data field names.

Table of Contents

 About This Book

 Introduction of PKI (Public Key Infrastructure)

 Introduction of PKI Certificate

PKI Certificate File Formats

 What Is ASN.1 (Abstract Syntax Notation One)

 What Is BER (Basic Encoding Rules)

 BER Encoding Examples

 ASN.1 Type Modifier - Type Tagging

 What Is DER (Distinguished Encoding Rules)

 PKI Certificate Structure in ASN.1 Notations

 PKI Certificate in DER Format

 PKI Certificate in Base64 Format

 PKI Certificate in PEM Format

 PKI Certificate File Viewer and Decoder

PKI Certificate File ASN.1 Parser

 OpenSSL - Cryptography Toolkit

 "openssl ca" - CA (Certificate Authority) Tool

 Java "keytool" Commands and KeyStore Files

 PKI Certificate Store

 PKCS12 Certificate Bundle File

 PKCS7 Certificate Chain File

 PKI Certificate Related Terminology

 References

 Full Version in PDF/EPUB