OpenSSL: PEM例程:PEM_read_bio:没有起始行:pem_lib。c:703:预计:受信任的证书

时间:2023-01-15 13:10:32

I need a hash-name for file for posting in Stunnel's CApath directory. I have got some certs in this directory and they are working well. Also I have a server sert and server key:

我需要一个hashname文件,以便在Stunnel的CApath目录中发布。我在这个目录里有一些证书,他们工作得很好。另外,我还有服务器服务器和服务器密钥:

cert = c:\Program Files (x86)\stunnel\server_cert.pem 
key = c:\Program> Files (x86)\stunnel\private\server_key.pem

When I try to calculate a hash of my new cert, I get an error:

当我试图计算新证书的哈希时,我得到一个错误:

/etc/pki/tls/misc/c_hash cert.pem

/etc/pki/tls/misc/c_hash cert.pem

unable to load certificate 140603809879880:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:703:Expecting: TRUSTED CERTIFICATE

无法加载证书140603809879880:错误:0906D06C:PEM例程:PEM_read_bio:no start line:pem_lib。c:703:预计:受信任的证书

As I understand I must sign my cert, but I don't understand how I can do that. Please, provide the solution.

据我所知,我必须签署我的证书,但我不明白我该怎么做。请提供解决方案。

P.S.:

注:

The message

的消息

unable to load certificate 140603809879880:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:703:Expecting: TRUSTED CERTIFICATE:

无法加载证书140603809879880:错误:0906D06C:PEM例程:PEM_read_bio:no start line:pem_lib。c:703:预计:受信任的证书:

posted when I made c_hash for cert.pem This is not server_cert.pem, this is Root_CA and it is content something like

当我为cert.pem做c_hash时,这不是server_cert。pem,这是Root_CA,它的内容类似。

-----BEGIN CERTIFICATE-----
...6UXBNSDVg5rSx60=..

- - - - - - - - - - -开始证书…6 uxbnsdvg5rsx60 = . .

-----END CERTIFICATE-----

- - - - - - - - - - -端证书

When I write

当我写

openssl x509 -noout -text -in cert.pem

openssl x509 -noout -文本在cert.pem中。

In console panel I see this info:

在控制台面板中,我看到了这个信息:

    Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=BE, ST=BB, L=BB, O=BANKSYS NV, OU=SCY, CN=TEST Root CA
        Validity
            Not Before: May 31 08:06:40 2005 GMT
            Not After : May 31 08:06:40 2020 GMT
        Subject: C=BE, ST=BB, L=BB, O=BB NV, OU=SCY, CN=TEST Root CA
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:82:c8:58:1e:e5:7a:b2:63:a6:15:bd:f9:bb:1f:
............
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Key Usage: critical
                Certificate Sign, CRL Sign
            X509v3 Subject Key Identifier:
                76:70:AB:92:9B:B1:26:CE:9E:93:D8:77:4F:78:0D:B8:D4:6C:DA:C6
    Signature Algorithm: sha1WithRSAEncryption
         2c:7e:bd:3f:da:48:a4:df:8d:7c:96:58:f7:87:bd:e7:16:24:
...............

7 个解决方案

#1


26  

1) Since you are on Windows, make sure that your certificate in Windows "compatible", most importantly that it doesn't have ^M in the end of each line

1)既然你在Windows上,要确保你的Windows“兼容”证书,最重要的是,它在每一行的末尾都没有。

If you open it it will look like this:

如果你打开它,它会是这样的:

-----BEGIN CERTIFICATE-----^M
MIIDITCCAoqgAwIBAgIQL9+89q6RUm0PmqPfQDQ+mjANBgkqhkiG9w0BAQUFADBM^M

To solve "this" open it with Write or Notepad++ and have it convert it to Windows "style"

用Write或Notepad++来解决“this”,并将其转换为Windows“style”

2) Try to run openssl x509 -text -inform DER -in server_cert.pem and see what the output is, it is unlikely that a private/secret key would be untrusted, trust only is needed if you exported the key from a keystore, did you?

2)尝试在server_cert中运行openssl x509 -text -inform DER。pem和查看输出是什么,私有/秘密密钥不太可能是不受信任的,如果您从密钥存储库中导出密钥,只需要信任,对吗?

#2


6  

My situation was a little different. The solution was to strip the .pem from everything outside of the CERTIFICATE and PRIVATE KEY sections and to invert the order which they appeared. After converting from pfx to pem file, the certificate looked like this:

我的情况有点不同。解决方案是将.pem从证书和私有关键部分之外的所有内容中删除,并将它们出现的顺序颠倒过来。从pfx转换到pem文件后,证书看起来是这样的:

Bag Attributes
localKeyID: ...
issuer=...
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
Bag Attributes
more garbage...
-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----

After correcting the file, it was just:

更正文件后,只是:

-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

#3


6  

Another possible cause of this is trying to use the x509 module on something that is not x509

另一个可能的原因是尝试使用x509模块,而不是x509。

The server certificate is x509 format, but the private key is rsa

服务器证书是x509格式,但是私钥是rsa。

So openssl rsa -noout -text -in privkey.pem openssl x509 -noout -text -in servercert.pem

因此,openssl rsa -noout -文本-在privkey中。pem openssl x509 -noout -文本-在servercert.pem中。

#4


4  

I had the same issue using Windows, got if fixed by opening it in Notepad++ and changing the encoding from "UCS-2 LE BOM" to "UTF-8".

我在使用Windows时也有同样的问题,如果在Notepad++中打开它,并将“UCS-2 LE BOM”的编码改为“UTF-8”,我就得到了这个问题。

#5


2  

You can get this misleading error if you naively try to do this:

如果你天真地尝试这样做,你会得到这个误导性的错误:

Plain text -> Private Key encrypt -> <enc text> -> Public Key decrypt ->

Encrypting data using a private key is not allowed by design.

设计时不允许使用私钥加密数据。

You can see from the command line options for open ssl that the only options to encrypt -> decrypt go in one direction public -> private.

从打开ssl的命令行选项中可以看到,只有一个选项加密->解密在一个方向上公开->私有。

  -encrypt        encrypt with public key
  -decrypt        decrypt with private key

The other direction is intentionally prevented because public keys basically "can be guessed." So, encrypting with a private key means the only thing you gain is verifying the author has access to the private key.

另一个方向是故意避免的,因为公钥基本上是“可以猜测的”。因此,使用私钥加密意味着您所获得的唯一一件事就是验证作者是否可以访问私钥。

The private key encrypt -> public key decrypt direction is called "signing" to differentiate it from being a technique that can actually secure data.

私钥加密->公钥解密方向被称为“签名”,以将其与实际安全数据的技术区分开来。

  -sign           sign with private key
  -verify         verify with public key

Note: my description is a simplification for clarity. Read this answer for more information.

注意:我的描述是为了清晰而简化。请阅读此答案以获得更多信息。

#6


1  

Change encoding in notepad++ UTF-8 with BOM. That is how it worked for me

在notepad++ UTF-8中使用BOM更改编码。这就是它对我的作用。

#7


1  

My mistake was simply using the CSR file instead of the CERT file.

我的错误只是使用CSR文件而不是CERT文件。

#1


26  

1) Since you are on Windows, make sure that your certificate in Windows "compatible", most importantly that it doesn't have ^M in the end of each line

1)既然你在Windows上,要确保你的Windows“兼容”证书,最重要的是,它在每一行的末尾都没有。

If you open it it will look like this:

如果你打开它,它会是这样的:

-----BEGIN CERTIFICATE-----^M
MIIDITCCAoqgAwIBAgIQL9+89q6RUm0PmqPfQDQ+mjANBgkqhkiG9w0BAQUFADBM^M

To solve "this" open it with Write or Notepad++ and have it convert it to Windows "style"

用Write或Notepad++来解决“this”,并将其转换为Windows“style”

2) Try to run openssl x509 -text -inform DER -in server_cert.pem and see what the output is, it is unlikely that a private/secret key would be untrusted, trust only is needed if you exported the key from a keystore, did you?

2)尝试在server_cert中运行openssl x509 -text -inform DER。pem和查看输出是什么,私有/秘密密钥不太可能是不受信任的,如果您从密钥存储库中导出密钥,只需要信任,对吗?

#2


6  

My situation was a little different. The solution was to strip the .pem from everything outside of the CERTIFICATE and PRIVATE KEY sections and to invert the order which they appeared. After converting from pfx to pem file, the certificate looked like this:

我的情况有点不同。解决方案是将.pem从证书和私有关键部分之外的所有内容中删除,并将它们出现的顺序颠倒过来。从pfx转换到pem文件后,证书看起来是这样的:

Bag Attributes
localKeyID: ...
issuer=...
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
Bag Attributes
more garbage...
-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----

After correcting the file, it was just:

更正文件后,只是:

-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

#3


6  

Another possible cause of this is trying to use the x509 module on something that is not x509

另一个可能的原因是尝试使用x509模块,而不是x509。

The server certificate is x509 format, but the private key is rsa

服务器证书是x509格式,但是私钥是rsa。

So openssl rsa -noout -text -in privkey.pem openssl x509 -noout -text -in servercert.pem

因此,openssl rsa -noout -文本-在privkey中。pem openssl x509 -noout -文本-在servercert.pem中。

#4


4  

I had the same issue using Windows, got if fixed by opening it in Notepad++ and changing the encoding from "UCS-2 LE BOM" to "UTF-8".

我在使用Windows时也有同样的问题,如果在Notepad++中打开它,并将“UCS-2 LE BOM”的编码改为“UTF-8”,我就得到了这个问题。

#5


2  

You can get this misleading error if you naively try to do this:

如果你天真地尝试这样做,你会得到这个误导性的错误:

Plain text -> Private Key encrypt -> <enc text> -> Public Key decrypt ->

Encrypting data using a private key is not allowed by design.

设计时不允许使用私钥加密数据。

You can see from the command line options for open ssl that the only options to encrypt -> decrypt go in one direction public -> private.

从打开ssl的命令行选项中可以看到,只有一个选项加密->解密在一个方向上公开->私有。

  -encrypt        encrypt with public key
  -decrypt        decrypt with private key

The other direction is intentionally prevented because public keys basically "can be guessed." So, encrypting with a private key means the only thing you gain is verifying the author has access to the private key.

另一个方向是故意避免的,因为公钥基本上是“可以猜测的”。因此,使用私钥加密意味着您所获得的唯一一件事就是验证作者是否可以访问私钥。

The private key encrypt -> public key decrypt direction is called "signing" to differentiate it from being a technique that can actually secure data.

私钥加密->公钥解密方向被称为“签名”,以将其与实际安全数据的技术区分开来。

  -sign           sign with private key
  -verify         verify with public key

Note: my description is a simplification for clarity. Read this answer for more information.

注意:我的描述是为了清晰而简化。请阅读此答案以获得更多信息。

#6


1  

Change encoding in notepad++ UTF-8 with BOM. That is how it worked for me

在notepad++ UTF-8中使用BOM更改编码。这就是它对我的作用。

#7


1  

My mistake was simply using the CSR file instead of the CERT file.

我的错误只是使用CSR文件而不是CERT文件。