How to export/extract different certs?

[jquanC]

I have successfully installed the secvtl and provisioned the OCA by the following instructions:

$ sevctl generate oca.cert oca.key
$ sevctl provision oca.cert oca.key
$ sevctl export --full /opt/sev/cert_chain.cert

The sevctl verify command executes well:

~/opt/sev ❯ sevctl verify --sev cert_chain.cert 
PDH EP384 D256 3a1cd0a787bf1b951730b1689f5417b39833eccd408b0978d657cb118518a486
 ⬑ PEK EP384 E256 71953375e148a693e0785bdaeb13404ca40eaae4e6b477292e19417a8d1bf21d
   •⬑ OCA EP384 E256 2b13c5a6ba06e0d6f3375e9d5d1c3709b69461ae0f011d2689e1193af869c48e
    ⬑ CEK EP384 E256 d80941025278e9efcc43143571710152e3978630429e2a105f2ea718e3f686db
       ⬑ ASK R4096 R384 95cba79ba3c77daea79f741bade8156a50b1c59f6d6fda104d16dd264729f5ee8989522f3711fc7c84719921ceb31bc0
         •⬑ ARK R4096 R384 569da618dfe64015c343db6d975e77b72fdeacd16edd02d9d09b889b8f0f1d91ffa5dfbd86f7ac574a1a7883b7a1e737

 • = self signed, ⬑ = signs, •̷ = invalid self sign, ⬑̸ = invalid signs

My question is can I export/extract the specific cert, like ark_ask_cert, pek_cert, cek_cert, or pdh_cert? Does the current sevctl support it? It seems like the deprecated repos. sevtool has related support although I haven't tried that.

[jquanC]

It seems that certs are encoded by using codicon in sevctl. Can I decode/extract certs from the 'cert_chain.cert' using codicon and change the cert form?