EPP呼叫上的客户端证书 [英] Client certificate on EPP Call
问题描述
我试图在curl调用中使用cacert.org的免费客户端证书。请检查以下...
$ ch = curl_init
curl_setopt($ ch,CURLOPT_URL,'https://url.com');
curl_setopt($ ch,CURLOPT_TIMEOUT,30);
curl_setopt($ ch,CURLOPT_FRESH_CONNECT,1);
curl_setopt($ ch,CURLOPT_SSL_VERIFYPEER,true);
curl_setopt($ ch,CURLOPT_SSL_VERIFYHOST,2);
curl_setopt($ ch,CURLOPT_SSLCERT,'cert.crt');
curl_setopt($ ch,CURLOPT_HTTPHEADER,array('Content-Type:text / xml'));
curl_setopt($ ch,CURLOPT_POSTFIELDS,$ xml);
curl_setopt($ ch,CURLOPT_RETURNTRANSFER,true);
我已将证书下载为PEM,现在我收到以下错误...
无法设置私钥文件:'cert.crt'type PEM
我已经尝试了所有的方式,但无法修复,尝试谷歌以及。请帮助。
我认为问题是您的证书文件不包含私钥并且不使用指向证书的相应私钥的 CURLOPT_SSLKEY 选项单独提供。
我猜想证书是从CA颁发给您的,并且安装在您的浏览器中。当这种情况发生时,私钥由浏览器存储在独立于证书的安全位置(取决于操作系统和浏览器)。
大多数浏览器不会让您导出证书和私钥而不加密它(提供密码)。但是根据您的PEM文件的内容,没有相应的私钥。
要解决这个问题,您可能需要完成几个步骤:
- 再次从浏览器中导出证书,并确保其中包含私钥
- Chrome on Win / Linux并且Windows上的Internet Explorer将要求您输入密码。证书应导出为PKCS#12(.p12)文件
现在的问题是私钥是加密的需要根据我知道的cURL进行解密。
- 使用
openssl私钥,并将证书和密钥导出为PEM格式 -
openssl pkcs12 -in cert.p12 -nodes当您从浏览器导出时用于加密的密码)(cert.p12是PKCS12格式的证书和私钥。-nodes允许私钥导出加密)
这将打印到标准输出证书和PEM格式的密钥。
您应该会看到两个部分:
----- BEGIN PRIVATE KEY -----
...
----- END PRIVATE KEY -----
和
----- BEGIN CERTIFICATE -----
...
- --- END CERTIFICATE -----
您已经拥有该证书,将私钥保存到另一个文件。 由于服务器上未加密,因此请务必正确设置权限,通常 0400 ,以便其他用户无法访问 / p>
I am trying to use free client certificate by cacert.org in curl call. check following...
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, 'https://url.com');
curl_setopt($ch, CURLOPT_TIMEOUT, 30);
curl_setopt($ch, CURLOPT_FRESH_CONNECT, 1);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2);
curl_setopt($ch, CURLOPT_SSLCERT, 'cert.crt');
curl_setopt($ch, CURLOPT_HTTPHEADER, array('Content-Type: text/xml'));
curl_setopt($ch, CURLOPT_POSTFIELDS, $xml);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
I have downloaded certificate as PEM, now i am getting following error...
unable to set private key file: 'cert.crt' type PEM
I have tried all way but could not fix, tried google as well. Please help.
I believe the problem is that your certificate file does not contain the private key and it isn't being supplied separately using the CURLOPT_SSLKEY option which points to the corresponding private key for the certificate.
I'm guessing the certificate was issued to you from the CA and installed in your browser. When this happens the private key is stored by the browser in a secure location separate from the cert (depends on the OS & browser).
Most browsers won't let you export the certificate and private key without encrypting it (supplying a password). But based on the contents of your PEM file, there is no corresponding private key.
To resolve this you'll probably have to go through a few steps:
- Export the cert from the browser again and make sure it includes the private key
- Chrome on Win/Linux and Internet Explorer on Windows will require you to enter a password. The certificate should be exported as a PKCS#12 (.p12) file
The problem now is that the private key is encrypted and it needs to be unencrypted for cURL as far as I know
- Use
opensslto decrypt the private key and export the certificate and key to PEM format openssl pkcs12 -in cert.p12 -nodes(this will ask for the password used to encrypt when you exported from the browser) (cert.p12 is the cert & private key in PKCS12 format.-nodesallows the private key to be exported without encryption)
This will print to standard output the certificate and key in PEM format.
You should see two sections:
-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----
and
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
You already have the cert most likely, but you need to save the private key to another file. Since it isn't encrypted on the server, take great care to set the permissions properly, typically 0400 so other users can't access it
这篇关于EPP呼叫上的客户端证书的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
