小贝子编程

使用服务器密钥签名客户端证书时无法加载证书错误



我遵循https://thrift.apache.org/test/keys指南,但当我尝试与服务器签署客户端证书时。用命令:

openssl x509 -req -days 3000 -in client.csr -CA CA.pem -CAkey server.key -set_serial 01 -out client.crt

我得到以下错误:

Signature ok
subject=C = AU, ST = Some-State, O = Internet Widgits Pty Ltd
unable to load certificate
13644:error:0909006C:PEM routines:get_name:no start line:cryptopempem_lib.c:745:Expecting: TRUSTED CERTIFICATE

CA。pem文件:

Certificate:
Data:
Version: 3 (0x2)
Serial Number:
02:9b:5f:55:60:5a:bf:5b:ff:5a:b4:a4:af:6f:da:b1:de:21:4e:ec
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = AU, ST = Some-State, O = Internet Widgits Pty Ltd
Validity
Not Before: Mar  5 08:02:13 2021 GMT
Not After : May 22 08:02:13 2029 GMT
Subject: C = AU, ST = Some-State, O = Internet Widgits Pty Ltd
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:de:f6:78:f9:15:b0:ae:f7:f0:bf:2e:d1:f7:4f:
84:b5:ba:55:e7:36:c7:54:4e:df:d3:65:6b:22:d4:
.... missin values ....
6b:cc:15:81:88:fa:b1:75:00:f7:e5:e9:46:79:4a:
25:96:b5:c0:f8:15:46:c3:69:55:79:8a:09:1c:c2:
84:4d
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier: 
78:7B:B3:8A:F0:C0:DB:62:30:EA:E5:CD:5B:FD:5E:F9:C3:3D:8A:0B
X509v3 Authority Key Identifier: 
keyid:78:7B:B3:8A:F0:C0:DB:62:30:EA:E5:CD:5B:FD:5E:F9:C3:3D:8A:0B
X509v3 Basic Constraints: critical
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
0e:06:d3:24:ac:03:56:6a:6f:02:2a:67:cb:38:37:31:e5:9c:
01:3d:41:09:0b:a7:9e:da:02:67:5f:ee:3b:58:03:c2:9d:2f:
.... missin values ....
cc:83:be:ee:29:b1:15:2b:b8:a0:9f:ef:29:5e:2b:3d:25:68:
80:df:8f:cc:26:ce:56:92:8b:e4:6b:84:1b:09:07:11:66:b5:
32:47:15:18
-----BEGIN CERTIFICATE-----
....data...
-----END CERTIFICATE-----

有什么问题吗?

您上传的文件CA-2.pem揭示了问题:它的内容是用UTF16编码的,这意味着每个字符占用2字节。开箱即用,openssl x509工具不能正确处理这个问题,因为它需要纯ASCII输入。字符串比较将失败,这解释了为什么该工具无法找到以-----BEGIN

开头的行。解决问题的最简单方法是将文件的编码转换为utf8编码。您可以通过用记事本打开文件来实现这一点——在右下角,它将表明编码是UTF16 LE——并将其保存为UTF8。或者您可以使用如下的Powershell命令:

> powershell -c "Get-Content CA.pem | Set-Content -Encoding utf8 CA-utf8.pem"

(参见UTF-16到UTF-8的转换(用于Windows脚本))

在这一点上,命令openssl x509 -in CA-utf8.pem成功,我希望您的其他命令也会成功,如果您使用这个utf8编码版本的证书。

我不清楚你的CA文件最终是如何被编码为UTF16的,虽然,我可能会在以后尝试弄清楚。

相关内容

最新更新


热门标签:

javascript python java c# php android html jquery c++ css ios sql mysql arrays asp.net json python-3.x ruby-on-rails .net sql-server django objective-c excel regex ruby linux ajax iphone xml vba spring asp.net-mvc database wordpress string postgresql wpf windows xcode bash git oracle list vb.net multithreading eclipse algorithm macos powershell visual-studio image forms numpy scala function api selenium