picoCTF Solutions
picoCTF 2023CryptographyMedium

ReadMyCert

Published: April 26, 2023

Description

A certificate signing request file hides the flag. Treat it as Base64 PEM data and decode the contents to recover the string.

Setup

Download readmycert.csr

Download the CSR and strip the PEM header/footer.

Base64-decode the body to inspect the DER contents. The flag appears near the top.

wget https://artifacts.picoctf.net/c/422/readmycert.csr
cat readmycert.csr
grep -v '-----' readmycert.csr | base64 --decode

Solution

Strip the PEM header/footer lines, then paste the middle block into the Base64 & Base32 Decoder to decode the DER bytes in your browser without any command-line tools.
  1. Step 1Decode the PEM
    Either pipe the middle lines through base64 --decode or drop them into CyberChef. The decoded ASN.1 text includes picoCTF{...}.
    Learn more

    A Certificate Signing Request (CSR) is a structured message sent to a Certificate Authority (CA) asking it to issue a TLS/SSL certificate. It contains the applicant's public key and identity fields (Common Name, Organization, Country, etc.) encoded in ASN.1 DER format - a binary encoding scheme for structured data. The CSR is then wrapped in PEM (Privacy Enhanced Mail) format: Base64-encoded DER with a -----BEGIN CERTIFICATE REQUEST----- header and -----END CERTIFICATE REQUEST----- footer.

    In this challenge, the flag was embedded in one of the CSR's identity fields (likely the Common Name or a Subject Alternative Name extension). When the challenge author created the CSR, they put the flag string where a domain name or organization name normally goes. Decoding the Base64 body reveals the DER bytes, and the ASN.1 string fields within them are stored as printable ASCII - so the flag appears in the decoded output.

    The grep -v '-----' command filters out lines containing five or more dashes, removing the PEM header and footer. The remaining lines are pure Base64 and can be piped directly to base64 --decode. The proper tool for CSR inspection is openssl req -text -noout -in readmycert.csr, which parses the ASN.1 and prints each field in human-readable form.

  2. Step 2Copy the flag
    Extract the picoCTF string from the decoded output and submit.
    Learn more

    The decoded binary output mixes binary ASN.1 framing bytes with the embedded ASCII string. The strings command or a visual scan of the terminal output will surface the picoCTF{...} portion since it is stored as a contiguous printable string in the Subject field. Piping through strings - grep -v '-----' readmycert.csr | base64 --decode | strings - isolates readable text from the surrounding binary framing.

    Understanding PKI (Public Key Infrastructure) concepts like CSRs, PEM, DER, and ASN.1 is valuable beyond CTFs. These formats appear in TLS certificate management, code signing, SSH keys, and S/MIME email encryption. The opensslcommand-line tool can inspect and convert between all of these formats, making it an essential tool in any security practitioner's toolkit.

Alternate Solution

Strip the PEM header/footer lines, then paste the middle block into the Base64 Decoder on this site to decode the DER bytes in your browser instantly - no terminal or openssl command required.

Flag

picoCTF{read_mycert...b0}

No openssl tooling is required; basic Base64 decoding reveals the answer.

Want more picoCTF 2023 writeups?

Browse picoCTF 2023Full library

Useful tools for Cryptography

Related reading

What to try next