Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 3 years ago.
Improve this question
I need a hash-name for file for posting in Stunnel's CApath directory. I have got some certs in this directory and they are working well. Also, I have a server sert and server key:
cert = c:\Program Files (x86)\stunnel\server_cert.pem
key = c:\Program> Files (x86)\stunnel\private\server_key.pem
When I try to calculate a hash of my new cert, I get an error:
/etc/pki/tls/misc/c_hash cert.pem
unable to load certificate 140603809879880:error:0906D06C:PEM
routines:PEM_read_bio:no start line:pem_lib.c:703:Expecting: TRUSTED CERTIFICATE
As I understand I must sign my cert, but I don't understand how I can do that.
Please, provide the solution.
P.S.:
The message
unable to load certificate 140603809879880:error:0906D06C:PEM
routines:PEM_read_bio:no start line:pem_lib.c:703:Expecting: TRUSTED CERTIFICATE:
posted when I made c_hash for cert.pem This is not server_cert.pem, this is Root_CA and it is content something like
-----BEGIN CERTIFICATE-----
...6UXBNSDVg5rSx60=..
-----END CERTIFICATE-----
When I write
openssl x509 -noout -text -in cert.pem
In console panel I see this info:
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=BE, ST=BB, L=BB, O=BANKSYS NV, OU=SCY, CN=TEST Root CA
Validity
Not Before: May 31 08:06:40 2005 GMT
Not After : May 31 08:06:40 2020 GMT
Subject: C=BE, ST=BB, L=BB, O=BB NV, OU=SCY, CN=TEST Root CA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:82:c8:58:1e:e5:7a:b2:63:a6:15:bd:f9:bb:1f:
............
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
X509v3 Subject Key Identifier:
76:70:AB:92:9B:B1:26:CE:9E:93:D8:77:4F:78:0D:B8:D4:6C:DA:C6
Signature Algorithm: sha1WithRSAEncryption
2c:7e:bd:3f:da:48:a4:df:8d:7c:96:58:f7:87:bd:e7:16:24:
...............
Since you are on Windows, make sure that your certificate in Windows "compatible", most importantly that it doesn't have ^M in the end of each line
If you open it it will look like this:
-----BEGIN CERTIFICATE-----^M
MIIDITCCAoqgAwIBAgIQL9+89q6RUm0PmqPfQDQ+mjANBgkqhkiG9w0BAQUFADBM^M
To solve "this" open it with Write or Notepad++ and have it convert it to Windows "style"
Try to run openssl x509 -text -inform DER -in server_cert.pem and see what the output is, it is unlikely that a private/secret key would be untrusted, trust only is needed if you exported the key from a keystore, did you?
Another possible cause of this is trying to use the ;x509; module on something that is not X.509.
The server certificate is X.509 format, but the private key is RSA.
So:
openssl rsa -noout -text -in privkey.pem
openssl x509 -noout -text -in servercert.pem
My mistake was simply using the CSR file instead of the CERT file.
My situation was a little different. The solution was to strip the .pem from everything outside of the CERTIFICATE and PRIVATE KEY sections and to invert the order which they appeared.
After converting from pfx to pem file, the certificate looked like this:
Bag Attributes
localKeyID: ...
issuer=...
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
Bag Attributes
more garbage...
-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----
After correcting the file, it was just:
-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
I had the same issue using Windows, got if fixed by opening it in Notepad++ and changing the encoding from "UCS-2 LE BOM" to "UTF-8".
Change encoding in notepad++ UTF-8 with BOM. That is how it worked for me
You can get this misleading error if you naively try to do this:
[clear] -> Private Key Encrypt -> [encrypted] -> Public Key Decrypt -> [clear]
Encrypting data using a private key is not allowed by design.
You can see from the command line options for open ssl that the only options to encrypt -> decrypt go in one direction public -> private.
-encrypt encrypt with public key
-decrypt decrypt with private key
The other direction is intentionally prevented because public keys basically "can be guessed." So, encrypting with a private key means the only thing you gain is verifying the author has access to the private key.
The private key encrypt -> public key decrypt direction is called "signing" to differentiate it from being a technique that can actually secure data.
-sign sign with private key
-verify verify with public key
Note: my description is a simplification for clarity. Read this answer for more information.
Related
I have an encrypted private RSA key:
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-256-CBC,B92E0E3A7B... // <--- IV here.
...
-----END RSA PRIVATE KEY-----
I need to decrypt it via a passphrase, basically I need the equivalent of
openssl rsa -in <encrypted_private.key> -out <decrypted_private.key>
on the browser side with an Angular based client, using webcrypto and pkijs.
So for anyone who will in the future maybe face the same issue like I did:
PKI.js is providing an examples folder in their repo:
OpenSSLPrivateKeyEncryption
In there you will find a method called decrypt.
With the code I were able to decrypt my AES-CBC Private key.
I'm having .crt and .pem file with
-----BEGIN CERTIFICATE-----
MIIFSDCCBDCg........................................
-----END CERTIFICATE-----
and I want RSA key from this file.
anyone is having any idea that how we can do that.
I have used below command one by one
openssl rsa -in XXX.crt -out input1.der -outform DER
openssl rsa -in input1.der -inform DER -out key.pem -outform PEM
But, It gives error:
unable to load Private Key 140331982231200:error:0906D06C:PEM
routines:PEM_read_bio:no start line:pem_lib.c:703:Expecting: ANY
PRIVATE KEY
and I have also used different command but it give above error.
-----BEGIN CERTIFICATE-----
MIIFSDCCBDCg........................................
-----END CERTIFICATE-----
This is a certificate in pem format which is a wrapper over public key. A Certificate is supposed to be public and can be distributed, but private key (as the name suggest) is supposed to be kept secret. So a certificate can never contain a private key.
You mentioned, you have a ´.pem´ file too. What is it's content? Does it start with -----BEGIN RSA PRIVATE KEY-----. If yes, it would be your private key.
The command you are trying:
openssl rsa
It expects a private key in input, but you are supplying it a certificate. Hence the error.
You can't get a private key from a certificate, because the private key isn't in the certificate, and you can't get it from a PEM file unless the PEM file contains it, which ain't necessarily so,
According to the answer to this server-fault question almost all certificate file formats can contain private key alongside public key, as such how can I identify whether a certificate contains private key?
This is important because I do not want to unknowingly send the private key to the remote client.
Following the structure of the link:
.csr. Only public keys in pem or der format
.pem. keys and/or certificates. Look for -----BEGIN PRIVATE KEY---- or -----BEGIN RSA PRIVATE KEY----- or -----BEGIN ENCRYPTED PRIVATE KEY-----
.key keys in pem format
.pkcs12 .pfx .p12 keys and/or certificates. List keys with openssl pkcs12 -info -nocerts -in keystore.p12
.jks keys and/or certificates. Java specific format.
.der pem content without base64 encoding. Look for KEY in openssl x509 -inform DER -in cert.der
.cert .cer .crt keys and/or certificates. Content can be pem or der
.p7b. Only certificates
.crl. No keys
I have been struggling for the last three hours trying to create an .pfx file using OpenSSL. I have been following this document and have been following the instructions under the Get a certificate using OpenSSL header.
I am at the step here: openssl pkcs12 -export -out myserver.pfx -inkey myserver.key -in myserver.crt and am using the OpenSSL.exe console.
I get the error: unable to load certificates
I have also tried this: x509 -text -in myserver.key and received the error: 0906D06D06C:PEM_read_bio:no start line:.\crypto\pem\pem_lib.b.c:703:Expecting: TRUSTED CERTIFICATE I also get that error if I try myserver.crt.
I seem to get it no matter what I do.
Can someone please help?
I get the error: unable to load certificates
myserver.crt needs to be in PEM format. Does it have ----- BEGIN CERTIFICATE ----- and ----- END CERTIFICATE -----?
myserver.crt should actually be a chain of certificates (and not just the one server certificate). The chain should include all intermediate certificates needed by the client to verify the chain.
You send all the intermediate certificates to solve the "which directory" problem. The "which directory" is a well know problem in PKI. Essentially, the client does not know where to go to fetch the missing intermediate cert. To avoid the problem, you send all intermediates.
I often use Startcom because they offer free Class 1 certificates. When I get the signed server certificate from them (for example, www-example-com.crt), I add their Class 1 Server Intermediate to it. I get their Class 1 Server Intermediate from their website at Startcom CA certs. The one I use is sub.class1.server.ca.pem.
With the www-example-com.crt, my server certificate looks like:
$ cat www-example-com.crt
-----BEGIN CERTIFICATE-----
< My Server Certificate >
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
< Startcom Intermediate >
-----END CERTIFICATE-----
For completeness, the private key (for example, www-example-com.key) is also in PEM format. It uses -----BEGIN RSA PRIVATE KEY----- and -----END RSA PRIVATE KEY-----.
With my server certificate in PEM format (and with the required intermediates) and private key, I then issue the following (which looks like the same command you are using):
openssl pkcs12 -export -in www-example-com.crt -inkey www-example-com.key -out www-example-com.p12
When clients connect, they use the Startcom CA. So, to test the connection (after loading into IIS):
openssl s_client -connect www.example.com:443 -CAfile startcom-ca.pem
The command should complete with "Verify OK":
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: 37E5AF0EE1745AB2...
Session-ID-ctx:
Master-Key: 7B9F8A79D3CC3A41...
Key-Arg : None
Start Time: 1243051912
Timeout : 300 (sec)
Verify return code: 0 (ok)
I have also tried this: x509 -text -in myserver.key and received the error...
x509 is for certificates. If you want to dump a key, use OpenSSL's pkey command. See the docs on OpenSSL's pkey(1) command.
keytool -importcert -alias yourdns -keystore /usr/lib/jvm/java-11-openjdk-11.0.15.0.9-2.el7_9.x86_64/lib/security/cacerts -file pathcertificate/.crc
password default = changeit
I am attempting to integrate with Apple PNs and I currently have a p12 certificate that has both the Sandbox and Production certs within it. But I have read that Java SSL will only read the first one, and that for JavaPNS (the APN client I am using), says to use separate certs for this reason.
So using something like openssl, how can take my current cert and separate it out into 2 new certs, one for the Sandbox and one for Production.
This has nothing to do with APN, it's just about splitting a p12 cert.
As you previously mentioned you can use OpenSSL to change the p12 format to a PEM format, the PEM format would be accepted but also not secure with a password so make sure you get what you need.
openssl pkcs12 -in yourcertificates.p12 -out certificates.pem -nodes
This will put everything in one file, so you will have to open the PEM file in a text editor and take out the required files.
Certificates are separated by
-----BEGIN CERTIFICATE-----
Content
-----END CERTIFICATE-----
Keys would be separated by
-----BEGIN RSA PRIVATE KEY-----
Content
-----END RSA PRIVATE KEY-----
Please update your question if you need anymore information.