cli icon indicating copy to clipboard operation
cli copied to clipboard
verified publisher icon smallstep

Add `step certificate unbundle` subcommand for separating certificate chains

Open dopey opened this issue 7 months ago • 3 comments

Uses

  1. step certificate unbundle leaf-chain.crt leaf.crt intermediate-chain.crt - separates certificate chain into separate files. One with just the leaf certificate and the other with the intermediate chain.

  2. step certificate unbundle --leaf leaf-chain.crt - Output the leaf certificate to stdout (or stderror, whatever the other commands do). Assume PEM format for output.

  3. step certificate unbundle --intermediate leaf-chain.crt - Output the intermediate chain to stdout (or stderror, whatever the other commands do). Assume PEM format for output.

  4. step certificate unbundle --leaf --out leaf.crt leaf-chain.crt - Write the leaf out to a file specified by the --out flag.

  5. step certificate unbundle --intermediate --out intermediate.crt leaf-chain.crt - Write the intermediate out to a file specified by the --out flag.

dopey avatar Jun 11 '25 00:06 dopey

Instead of using the --out flag, we could use the number of arguments:

# Print the leaf
step certificate unbundle chain.crt
step certificate unbundle --leaf chain.crt

# Write the leaf in leaf.crt
step certificate unbundle chain.crt leaf.crt
step certificate unbundle --leaf chain.crt leaf.crt

# Print list of intermediates
step certificate unbundle --intermediate chain.crt

# Write the intermediates in intermediate.crt
step certificate unbundle --intermediate chain.crt intermediate.crt

# Write the leaf in leaf.crt and intermediate in intermediate.crt
step certificate unbundle chain.crt leaf.crt intermediate.crt

Alternatively instead of using the --out flag we could use --leaf leaf.crt and --intermediate.crt if we want to be more explicit.

maraino avatar Jun 11 '25 02:06 maraino

Hey @dopey! 👋

I just finished a PR (#1438) adding --intermediate-file to split certs during generation.

This unbundle command looks like the perfect companion for existing files! Happy to tackle it next if you want.

Same cert-chain logic I just implemented, so I can move fast. Let me know!

aliamerj avatar Jun 11 '25 08:06 aliamerj

While slightly more typing is involved, I have a preference for the initially suggested flags, as there's less room for guessing which file comes in which order. I'd say adding --out is fine, since we're already using that in a few places, but it's effectively the same as redirection using >.

hslatman avatar Jun 11 '25 08:06 hslatman