使用服务器密钥签署客户端证书时无法加载证书错误
Unable to load certificate error when signing the client certificate with the server key
我遵循 https://thrift.apache.org/test/keys 的指南,但是当我尝试使用 server.key 和命令签署客户端证书时:
openssl x509 -req -days 3000 -in client.csr -CA CA.pem -CAkey server.key -set_serial 01 -out client.crt
我收到以下错误:
Signature ok
subject=C = AU, ST = Some-State, O = Internet Widgits Pty Ltd
unable to load certificate
13644:error:0909006C:PEM routines:get_name:no start line:crypto\pem\pem_lib.c:745:Expecting: TRUSTED CERTIFICATE
CA.pem 文件:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
02:9b:5f:55:60:5a:bf:5b:ff:5a:b4:a4:af:6f:da:b1:de:21:4e:ec
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = AU, ST = Some-State, O = Internet Widgits Pty Ltd
Validity
Not Before: Mar 5 08:02:13 2021 GMT
Not After : May 22 08:02:13 2029 GMT
Subject: C = AU, ST = Some-State, O = Internet Widgits Pty Ltd
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:de:f6:78:f9:15:b0:ae:f7:f0:bf:2e:d1:f7:4f:
84:b5:ba:55:e7:36:c7:54:4e:df:d3:65:6b:22:d4:
.... missin values ....
6b:cc:15:81:88:fa:b1:75:00:f7:e5:e9:46:79:4a:
25:96:b5:c0:f8:15:46:c3:69:55:79:8a:09:1c:c2:
84:4d
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
78:7B:B3:8A:F0:C0:DB:62:30:EA:E5:CD:5B:FD:5E:F9:C3:3D:8A:0B
X509v3 Authority Key Identifier:
keyid:78:7B:B3:8A:F0:C0:DB:62:30:EA:E5:CD:5B:FD:5E:F9:C3:3D:8A:0B
X509v3 Basic Constraints: critical
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
0e:06:d3:24:ac:03:56:6a:6f:02:2a:67:cb:38:37:31:e5:9c:
01:3d:41:09:0b:a7:9e:da:02:67:5f:ee:3b:58:03:c2:9d:2f:
.... missin values ....
cc:83:be:ee:29:b1:15:2b:b8:a0:9f:ef:29:5e:2b:3d:25:68:
80:df:8f:cc:26:ce:56:92:8b:e4:6b:84:1b:09:07:11:66:b5:
32:47:15:18
-----BEGIN CERTIFICATE-----
....data...
-----END CERTIFICATE-----
可能是什么问题?
您上传的文件CA-2.pem暴露了问题:它的内容是用UTF16编码的,这意味着每个字符占用2个字节。开箱即用的 openssl x509 工具无法正确处理该问题,因为它需要纯 ASCII 输入。字符串比较将失败,这解释了为什么该工具无法找到以 -----BEGIN
开头的行
解决问题的最简单方法是将文件的 ecnoding 转换为 UTF8 编码。您可以通过使用记事本打开文件来执行此操作——在右下角它将指示编码为 UTF16 LE——并将其保存为 UTF8。或者您可以使用这样的 Powershell 命令:
> powershell -c "Get-Content CA.pem | Set-Content -Encoding utf8 CA-utf8.pem"
(见UTF-16 to UTF-8 conversion (for scripting in Windows))
此时,命令 openssl x509 -in CA-utf8.pem 成功,如果您使用此证书的 UTF8 编码版本,我希望您的其他命令也能成功。
我不清楚您的 CA 文件最初是如何最终被编码为 UTF16 的,我稍后可能会尝试弄清楚。
我遵循 https://thrift.apache.org/test/keys 的指南,但是当我尝试使用 server.key 和命令签署客户端证书时:
openssl x509 -req -days 3000 -in client.csr -CA CA.pem -CAkey server.key -set_serial 01 -out client.crt
我收到以下错误:
Signature ok
subject=C = AU, ST = Some-State, O = Internet Widgits Pty Ltd
unable to load certificate
13644:error:0909006C:PEM routines:get_name:no start line:crypto\pem\pem_lib.c:745:Expecting: TRUSTED CERTIFICATE
CA.pem 文件:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
02:9b:5f:55:60:5a:bf:5b:ff:5a:b4:a4:af:6f:da:b1:de:21:4e:ec
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = AU, ST = Some-State, O = Internet Widgits Pty Ltd
Validity
Not Before: Mar 5 08:02:13 2021 GMT
Not After : May 22 08:02:13 2029 GMT
Subject: C = AU, ST = Some-State, O = Internet Widgits Pty Ltd
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:de:f6:78:f9:15:b0:ae:f7:f0:bf:2e:d1:f7:4f:
84:b5:ba:55:e7:36:c7:54:4e:df:d3:65:6b:22:d4:
.... missin values ....
6b:cc:15:81:88:fa:b1:75:00:f7:e5:e9:46:79:4a:
25:96:b5:c0:f8:15:46:c3:69:55:79:8a:09:1c:c2:
84:4d
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
78:7B:B3:8A:F0:C0:DB:62:30:EA:E5:CD:5B:FD:5E:F9:C3:3D:8A:0B
X509v3 Authority Key Identifier:
keyid:78:7B:B3:8A:F0:C0:DB:62:30:EA:E5:CD:5B:FD:5E:F9:C3:3D:8A:0B
X509v3 Basic Constraints: critical
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
0e:06:d3:24:ac:03:56:6a:6f:02:2a:67:cb:38:37:31:e5:9c:
01:3d:41:09:0b:a7:9e:da:02:67:5f:ee:3b:58:03:c2:9d:2f:
.... missin values ....
cc:83:be:ee:29:b1:15:2b:b8:a0:9f:ef:29:5e:2b:3d:25:68:
80:df:8f:cc:26:ce:56:92:8b:e4:6b:84:1b:09:07:11:66:b5:
32:47:15:18
-----BEGIN CERTIFICATE-----
....data...
-----END CERTIFICATE-----
可能是什么问题?
您上传的文件CA-2.pem暴露了问题:它的内容是用UTF16编码的,这意味着每个字符占用2个字节。开箱即用的 openssl x509 工具无法正确处理该问题,因为它需要纯 ASCII 输入。字符串比较将失败,这解释了为什么该工具无法找到以 -----BEGIN
解决问题的最简单方法是将文件的 ecnoding 转换为 UTF8 编码。您可以通过使用记事本打开文件来执行此操作——在右下角它将指示编码为 UTF16 LE——并将其保存为 UTF8。或者您可以使用这样的 Powershell 命令:
> powershell -c "Get-Content CA.pem | Set-Content -Encoding utf8 CA-utf8.pem"
(见UTF-16 to UTF-8 conversion (for scripting in Windows))
此时,命令 openssl x509 -in CA-utf8.pem 成功,如果您使用此证书的 UTF8 编码版本,我希望您的其他命令也能成功。
我不清楚您的 CA 文件最初是如何最终被编码为 UTF16 的,我稍后可能会尝试弄清楚。