可以将文章内容翻译成中文,广告屏蔽插件可能会导致该功能失效(如失效,请关闭广告屏蔽插件后再试):
问题:
I need a hash-name for file for posting in Stunnel's CApath directory. I have got some certs in this directory and they are working well. Also I have a server sert and server key:
cert = c:\Program Files (x86)\stunnel\server_cert.pem key = c:\Program> Files (x86)\stunnel\private\server_key.pem
When I try to calculate a hash of my new cert, I get an error:
/etc/pki/tls/misc/c_hash cert.pem
unable to load certificate 140603809879880:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:703:Expecting: TRUSTED CERTIFICATE
As I understand I must sign my cert, but I don't understand how I can do that. Please, provide the solution.
P.S.:
The message
unable to load certificate 140603809879880:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:703:Expecting: TRUSTED CERTIFICATE:
posted when I made c_hash for cert.pem This is not server_cert.pem, this is Root_CA and it is content something like
-----BEGIN CERTIFICATE-----
...6UXBNSDVg5rSx60=..
-----END CERTIFICATE-----
When I write
openssl x509 -noout -text -in cert.pem
In console panel I see this info:
Certificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: sha1WithRSAEncryption Issuer: C=BE, ST=BB, L=BB, O=BANKSYS NV, OU=SCY, CN=TEST Root CA Validity Not Before: May 31 08:06:40 2005 GMT Not After : May 31 08:06:40 2020 GMT Subject: C=BE, ST=BB, L=BB, O=BB NV, OU=SCY, CN=TEST Root CA Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:82:c8:58:1e:e5:7a:b2:63:a6:15:bd:f9:bb:1f: ............ Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: critical CA:TRUE X509v3 Key Usage: critical Certificate Sign, CRL Sign X509v3 Subject Key Identifier: 76:70:AB:92:9B:B1:26:CE:9E:93:D8:77:4F:78:0D:B8:D4:6C:DA:C6 Signature Algorithm: sha1WithRSAEncryption 2c:7e:bd:3f:da:48:a4:df:8d:7c:96:58:f7:87:bd:e7:16:24: ...............
回答1:
1) Since you are on Windows, make sure that your certificate in Windows "compatible", most importantly that it doesn't have ^M in the end of each line
If you open it it will look like this:
-----BEGIN CERTIFICATE-----^M MIIDITCCAoqgAwIBAgIQL9+89q6RUm0PmqPfQDQ+mjANBgkqhkiG9w0BAQUFADBM^M
To solve "this" open it with Write or Notepad++ and have it convert it to Windows "style"
2) Try to run openssl x509 -text -inform DER -in server_cert.pem and see what the output is, it is unlikely that a private/secret key would be untrusted, trust only is needed if you exported the key from a keystore, did you?
回答2:
My situation was a little different. The solution was to strip the .pem from everything outside of the CERTIFICATE and PRIVATE KEY sections and to invert the order which they appeared. After converting from pfx to pem file, the certificate looked like this:
Bag Attributes localKeyID: ... issuer=... -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- Bag Attributes more garbage... -----BEGIN PRIVATE KEY----- ... -----END PRIVATE KEY-----
After correcting the file, it was just:
-----BEGIN PRIVATE KEY----- ... -----END PRIVATE KEY----- -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE-----
回答3:
I had the same issue using Windows, got if fixed by opening it in Notepad++ and changing the encoding from "UCS-2 LE BOM" to "UTF-8".
回答4:
Another possible cause of this is trying to use the x509 module on something that is not x509
The server certificate is x509 format, but the private key is rsa
So openssl rsa -noout -text -in privkey.pem openssl x509 -noout -text -in servercert.pem
回答5:
You can get this misleading error if you naively try to do this:
Plain text -> Private Key encrypt -> -> Public Key decrypt ->
Encrypting data using a private key is not allowed by design.
You can see from the command line options for open ssl that the only options to encrypt -> decrypt go in one direction public -> private.
-encrypt encrypt with public key -decrypt decrypt with private key
The other direction is intentionally prevented because public keys basically "can be guessed." So, encrypting with a private key means the only thing you gain is verifying the author has access to the private key.
The private key encrypt -> public key decrypt direction is called "signing" to differentiate it from being a technique that can actually secure data.
-sign sign with private key -verify verify with public key
Note: my description is a simplification for clarity. Read this answer for more information.
回答6:
My mistake was simply using the CSR file instead of the CERT file.
回答7:
Change encoding in notepad++ UTF-8 with BOM. That is how it worked for me
