Bootstrap
登录 注册

使用服务器密钥签署客户端证书时无法加载证书错误

sslopensslssl-certificatex509certificate
发布时间:2021-03-05 08:39

我正在遵循 https://thrift.apache.org/test/keys 的指南,但是当我尝试使用 server.key 使用以下命令签署客户端证书时:

openssl x509 -req -days 3000 -in client.csr -CA CA.pem -CAkey server.key -set_serial 01 -out client.crt

我收到以下错误:

Signature ok
subject=C = AU, ST = Some-State, O = Internet Widgits Pty Ltd
unable to load certificate
13644:error:0909006C:PEM routines:get_name:no start line:crypto\pem\pem_lib.c:745:Expecting: TRUSTED CERTIFICATE

CA.pem 文件:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            02:9b:5f:55:60:5a:bf:5b:ff:5a:b4:a4:af:6f:da:b1:de:21:4e:ec
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = AU, ST = Some-State, O = Internet Widgits Pty Ltd
        Validity
            Not Before: Mar  5 08:02:13 2021 GMT
            Not After : May 22 08:02:13 2029 GMT
        Subject: C = AU, ST = Some-State, O = Internet Widgits Pty Ltd
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:de:f6:78:f9:15:b0:ae:f7:f0:bf:2e:d1:f7:4f:
                    84:b5:ba:55:e7:36:c7:54:4e:df:d3:65:6b:22:d4:
                    .... missin values ....
                    6b:cc:15:81:88:fa:b1:75:00:f7:e5:e9:46:79:4a:
                    25:96:b5:c0:f8:15:46:c3:69:55:79:8a:09:1c:c2:
                    84:4d
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                78:7B:B3:8A:F0:C0:DB:62:30:EA:E5:CD:5B:FD:5E:F9:C3:3D:8A:0B
            X509v3 Authority Key Identifier: 
                keyid:78:7B:B3:8A:F0:C0:DB:62:30:EA:E5:CD:5B:FD:5E:F9:C3:3D:8A:0B

            X509v3 Basic Constraints: critical
                CA:TRUE
    Signature Algorithm: sha256WithRSAEncryption
         0e:06:d3:24:ac:03:56:6a:6f:02:2a:67:cb:38:37:31:e5:9c:
         01:3d:41:09:0b:a7:9e:da:02:67:5f:ee:3b:58:03:c2:9d:2f:
         .... missin values ....
         cc:83:be:ee:29:b1:15:2b:b8:a0:9f:ef:29:5e:2b:3d:25:68:
         80:df:8f:cc:26:ce:56:92:8b:e4:6b:84:1b:09:07:11:66:b5:
         32:47:15:18
-----BEGIN CERTIFICATE-----
....data...
-----END CERTIFICATE-----

可能是什么问题?

回答1

您上传的文件 CA-2.pem 揭示了问题:其内容以 UTF16 编码,这意味着每个字符占用 2 个字节。开箱即用,openssl x509 工具无法正确处理该问题,因为它需要纯 ASCII 输入。字符串比较将失败,这就解释了为什么该工具无法找到以 -----BEGIN

开头的那一行

解决问题的最简单方法是将文件的 ecnoding 转换为 UTF8 编码。您可以通过用记事本打开文件来完成此操作——在右下角,它将指示编码为 UTF16 LE——并将其保存为 UTF8。或者你可以像这样使用 Powershell 命令:

> powershell -c "Get-Content CA.pem | Set-Content -Encoding utf8 CA-utf8.pem"

(见UTF-16 to UTF-8 conversion (for scripting in Windows)

此时,命令 openssl x509 -in CA-utf8.pem 会成功,如果您使用此 UTF8 编码版本的证书,我希望您的其他命令也会成功。

我不清楚您的 CA 文件最初是如何被编码为 UTF16 的,我可能会在稍后尝试弄清楚。

ssl 相关推荐
openssl 相关推荐
ssl-certificate 相关推荐
x509certificate 相关推荐