尝试生成pfx文件时无法加载证书 [英] Unable to load certificates when trying to generate pfx file
问题描述
最近三个小时,我一直在努力尝试使用OpenSSL创建.pfx文件.我一直在关注文档,并一直在关注Get a certificate using OpenSSL标头下的说明.
I have been struggling for the last three hours trying to create an .pfx file using OpenSSL. I have been following this document and have been following the instructions under the Get a certificate using OpenSSL header.
我正在执行以下操作:openssl pkcs12 -export -out myserver.pfx -inkey myserver.key -in myserver.crt,并且正在使用OpenSSL.exe控制台.
I am at the step here: openssl pkcs12 -export -out myserver.pfx -inkey myserver.key -in myserver.crt and am using the OpenSSL.exe console.
我收到错误:unable to load certificates
我也尝试过以下操作:x509 -text -in myserver.key并收到错误:0906D06D06C:PEM_read_bio:no start line:.\crypto\pem\pem_lib.b.c:703:Expecting: TRUSTED CERTIFICATE如果我尝试使用myserver.crt,我也会收到该错误.
I have also tried this: x509 -text -in myserver.key and received the error: 0906D06D06C:PEM_read_bio:no start line:.\crypto\pem\pem_lib.b.c:703:Expecting: TRUSTED CERTIFICATE I also get that error if I try myserver.crt.
不管做什么,我似乎都明白了.
I seem to get it no matter what I do.
有人可以帮忙吗?
推荐答案
我收到错误消息:无法加载证书
I get the error: unable to load certificates
myserver.crt必须为PEM格式.它有----- BEGIN CERTIFICATE -----和----- END CERTIFICATE -----吗?
myserver.crt needs to be in PEM format. Does it have ----- BEGIN CERTIFICATE ----- and ----- END CERTIFICATE -----?
myserver.crt实际上应该是一连串的证书(而不仅仅是一个服务器证书).该链应包括客户验证链所需的所有中间证书.
myserver.crt should actually be a chain of certificates (and not just the one server certificate). The chain should include all intermediate certificates needed by the client to verify the chain.
您发送所有中间证书来解决哪个目录"问题. 哪个目录"是PKI中的一个众所周知的问题.本质上,客户端不知道去哪里获取丢失的中间证书.为避免此问题,请发送所有中间体.
You send all the intermediate certificates to solve the "which directory" problem. The "which directory" is a well know problem in PKI. Essentially, the client does not know where to go to fetch the missing intermediate cert. To avoid the problem, you send all intermediates.
我经常使用 Startcom ,因为它们提供免费的1类证书.当我从他们那里获得签名的服务器证书时(例如,www-example-com.crt),我将它们的Class 1 Server Intermediate添加到了它.我从他们的网站 Startcom CA证书获得了他们的Class 1 Server Intermediate.我使用的是sub.class1.server.ca.pem.
I often use Startcom because they offer free Class 1 certificates. When I get the signed server certificate from them (for example, www-example-com.crt), I add their Class 1 Server Intermediate to it. I get their Class 1 Server Intermediate from their website at Startcom CA certs. The one I use is sub.class1.server.ca.pem.
使用www-example-com.crt,我的服务器证书如下:
With the www-example-com.crt, my server certificate looks like:
$ cat www-example-com.crt
-----BEGIN CERTIFICATE-----
< My Server Certificate >
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
< Startcom Intermediate >
-----END CERTIFICATE-----
为完整性起见,私钥(例如www-example-com.key)也采用PEM格式.它使用-----BEGIN RSA PRIVATE KEY-----和-----END RSA PRIVATE KEY-----.
For completeness, the private key (for example, www-example-com.key) is also in PEM format. It uses -----BEGIN RSA PRIVATE KEY----- and -----END RSA PRIVATE KEY-----.
使用PEM格式的服务器证书(以及所需的中间件)和私钥,然后发出以下命令(看起来与您使用的命令相同):
With my server certificate in PEM format (and with the required intermediates) and private key, I then issue the following (which looks like the same command you are using):
openssl pkcs12 -export -in www-example-com.crt -inkey www-example-com.key -out www-example-com.p12
客户端连接时,他们使用StartcomCA.因此,要测试连接(在加载到IIS之后):
When clients connect, they use the Startcom CA. So, to test the connection (after loading into IIS):
openssl s_client -connect www.example.com:443 -CAfile startcom-ca.pem
该命令应以"Verify OK"完成:
The command should complete with "Verify OK":
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: 37E5AF0EE1745AB2...
Session-ID-ctx:
Master-Key: 7B9F8A79D3CC3A41...
Key-Arg : None
Start Time: 1243051912
Timeout : 300 (sec)
Verify return code: 0 (ok)
我也尝试过这样:x509 -text-在myserver.key中并收到错误...
I have also tried this: x509 -text -in myserver.key and received the error...
x509用于证书.如果要转储密钥,请使用OpenSSL的pkey命令.请参阅有关OpenSSL的 pkey(1) 命令的文档.
x509 is for certificates. If you want to dump a key, use OpenSSL's pkey command. See the docs on OpenSSL's pkey(1) command.
这篇关于尝试生成pfx文件时无法加载证书的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
