windows OpenSSL: PEM 例程:PEM_read_bio:no 起始行:pem_lib.c:703:Expecting: TRUSTED CERTIFICATE
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/20837161/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
OpenSSL: PEM routines:PEM_read_bio:no start line:pem_lib.c:703:Expecting: TRUSTED CERTIFICATE
提问by lsv
I need a hash-name for file for posting in Stunnel's CApath directory. I have got some certs in this directory and they are working well. Also, I have a server sert and server key:
我需要一个用于在 Stunnel 的 CApath 目录中发布的文件的哈希名称。我在这个目录中有一些证书,它们运行良好。另外,我有一个服务器插入和服务器密钥:
cert = c:\Program Files (x86)\stunnel\server_cert.pem
key = c:\Program> Files (x86)\stunnel\private\server_key.pem
When I try to calculate a hash of my new cert, I get an error:
当我尝试计算新证书的哈希值时,出现错误:
/etc/pki/tls/misc/c_hash cert.pem
unable to load certificate 140603809879880:error:0906D06C:PEM
routines:PEM_read_bio:no start line:pem_lib.c:703:Expecting: TRUSTED CERTIFICATE
As I understand I must sign my cert, but I don't understand how I can do that. Please, provide the solution.
据我所知,我必须签署我的证书,但我不明白我该怎么做。请提供解决方案。
P.S.:
PS:
The message
消息
unable to load certificate 140603809879880:error:0906D06C:PEM
routines:PEM_read_bio:no start line:pem_lib.c:703:Expecting: TRUSTED CERTIFICATE:
posted when I made c_hashfor cert.pemThis is not server_cert.pem, this is Root_CA and it is content something like
当我为cert.pem制作c_hash时发布这不是 server_cert.pem,这是 Root_CA,它的内容类似于
-----BEGIN CERTIFICATE-----
...6UXBNSDVg5rSx60=..
-----END CERTIFICATE-----
When I write
当我写
openssl x509 -noout -text -in cert.pem
In console panel I see this info:
在控制台面板中,我看到以下信息:
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=BE, ST=BB, L=BB, O=BANKSYS NV, OU=SCY, CN=TEST Root CA
Validity
Not Before: May 31 08:06:40 2005 GMT
Not After : May 31 08:06:40 2020 GMT
Subject: C=BE, ST=BB, L=BB, O=BB NV, OU=SCY, CN=TEST Root CA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:82:c8:58:1e:e5:7a:b2:63:a6:15:bd:f9:bb:1f:
............
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
X509v3 Subject Key Identifier:
76:70:AB:92:9B:B1:26:CE:9E:93:D8:77:4F:78:0D:B8:D4:6C:DA:C6
Signature Algorithm: sha1WithRSAEncryption
2c:7e:bd:3f:da:48:a4:df:8d:7c:96:58:f7:87:bd:e7:16:24:
...............
回答by Noam Rathaus
Since you are on Windows, make sure that your certificate in Windows "compatible", most importantly that it doesn't have
^Min the end of each lineIf you open it it will look like this:
-----BEGIN CERTIFICATE-----^M MIIDITCCAoqgAwIBAgIQL9+89q6RUm0PmqPfQDQ+mjANBgkqhkiG9w0BAQUFADBM^MTo solve "this" open it with
Writeor Notepad++ and have it convert it to Windows "style"Try to run
openssl x509 -text -inform DER -in server_cert.pemand see what the output is, it is unlikely that a private/secret key would be untrusted, trust only is needed if you exported the key from a keystore, did you?
由于您使用的是 Windows,请确保您在 Windows 中的证书“兼容”,最重要的是它没有
^M在每一行的末尾如果您打开它,它将如下所示:
-----BEGIN CERTIFICATE-----^M MIIDITCCAoqgAwIBAgIQL9+89q6RUm0PmqPfQDQ+mjANBgkqhkiG9w0BAQUFADBM^M要解决“此”问题,请使用
Write或 Notepad++打开它并将其转换为 Windows“样式”尝试运行
openssl x509 -text -inform DER -in server_cert.pem并查看输出是什么,私有/秘密密钥不太可能不受信任,仅当您从密钥库导出密钥时才需要信任,是吗?
回答by Rondo
Another possible cause of this is trying to use the x509 module on something that is not x509
另一个可能的原因是尝试在不是 x509 的东西上使用 x509 模块
The server certificate is x509 format, but the private key is rsa
服务器证书是x509格式,但是私钥是rsa
So,
所以,
openssl rsa -noout -text -in privkey.pem
openssl x509 -noout -text -in servercert.pem
回答by Gustavo da Silva Serra
My situation was a little different. The solution was to strip the .pem from everything outside of the CERTIFICATE and PRIVATE KEY sections and to invert the order which they appeared. After converting from pfx to pem file, the certificate looked like this:
我的情况有点不同。解决方案是从 CERTIFICATE 和 PRIVATE KEY 部分之外的所有内容中删除 .pem 并反转它们出现的顺序。从 pfx 转换为 pem 文件后,证书如下所示:
Bag Attributes
localKeyID: ...
issuer=...
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
Bag Attributes
more garbage...
-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----
After correcting the file, it was just:
更正文件后,它只是:
-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
回答by SpiRail
My mistake was simply using the CSR file instead of the CERT file.
我的错误只是使用 CSR 文件而不是 CERT 文件。
回答by peter n
I had the same issue using Windows, got if fixed by opening it in Notepad++ and changing the encoding from "UCS-2 LE BOM" to "UTF-8".
我在使用 Windows 时遇到了同样的问题,如果通过在 Notepad++ 中打开它并将编码从“UCS-2 LE BOM”更改为“UTF-8”来解决。
回答by Yoda Zemichael
Change encoding in notepad++ UTF-8 with BOM. That is how it worked for me
使用 BOM更改 notepad++ UTF-8 中的编码。这就是它对我的工作方式
回答by TrophyGeek
You can get this misleading error if you naivelytry to do this:
如果你天真地尝试这样做,你可能会得到这个误导性的错误:
[clear] -> Private Key Encrypt -> [encrypted] -> Public Key Decrypt -> [clear]
Encrypting data using a private key is not allowed by design.
设计上不允许使用私钥加密数据。
You can see from the command line options for open sslthat the only options to encrypt -> decryptgo in one direction public -> private.
您可以从看到开放SSL命令行选项是唯一的选择,以encrypt -> decrypt在一个方向走public -> private。
-encrypt encrypt with public key
-decrypt decrypt with private key
The other direction is intentionally prevented because public keys basically "can be guessed." So, encrypting with a private key means the only thing you gain is verifying the author has access to the private key.
另一个方向是故意阻止的,因为公钥基本上“可以猜到”。因此,使用私钥加密意味着您唯一获得的是验证作者是否可以访问私钥。
The private key encrypt -> public key decryptdirection is called "signing" to differentiate it from being a technique that can actually secure data.
该private key encrypt -> public key decrypt方向被称为“签名”,以区别于实际可以保护数据的技术。
-sign sign with private key
-verify verify with public key
Note: my description is a simplification for clarity. Read this answer for more information.
注意:为了清楚起见,我的描述是一个简化。阅读此答案以获取更多信息。
