"Mitchel, Jennifer (Jem)" wrote: Show
> I am typing the command: ./openssl x509
-noout -text -in server.crt > and I am getting the error: > unable to load certificate > 19713:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:663:Expecting: TRUSTED CERTIFICATE > Can someone tell me what it is I'm missing. It might not be this simple, but could you check to see that the -----BEGIN
CERTIFICATE----- If the certificate is a jumble of binary data try adding -inform der ./openssl x509 -noout -text -inform der -in server.crt It is easy to translate between the two formats using much the der to pem: pem to der: (actually pem is the default for inform and outform) This might be important later when you try to use the certificate, -- Charles B. (Ben)
Cranston Home > CentOS > CentOS 6.x > Security tools > openssl Creating self-signed pem certificates for HTTPSWe can create self-signed pem ceritifcates using openssl for HTTPS, SMTPS, etc. using: openssl req -x509 -nodes -days 9999 -newkey rsa:1024 -keyout mycert.pem -out mycert.pem The life of certificate is set to 9999 so that it never expires. The above command leads to various prompts. If prompts are not desired use format: openssl req -new -newkey rsa:2048 -days 9999 -nodes -x509 -subj '/C=IN/ST=Telangana/L=Hyderabad/O=Rekall Software/CN=myserver.example.com' -keyout mycert.pem -out mycert.pem For information on getting certificates signed by CA use Getting certificates signed by recognized CA Creating certificate request with OpenSSLTo create certificate request with OpenSSL we can use: openssl genrsa -des3 -out client1.key 2048 openssl req -new -key client1.key -days 365 -out client1.csr Remember the password supplied while generating key, as that password would be asked whenever we try to generate a new request with the key. Challenge password asked at the end when we create a new certificate request can be left blank. If we use password protected key then it will lead to asking of password whenever we start service. For example if the password protected key is configured in apache web server then while starting web server we have to input the passphrase. This is specially problematic if system is configured to start apache automatically on boot for unattended systems (VMs etc.) After creating initial key and CSR, we can remove the password from key, if not required via: openssl rsa -in client1.key -out client1-without-passowrd.key Refer:
Checking whether a given certificate and key pair matchTo check whether a given key and certificate pair match one can use: openssl rsa -noout -modulus -in <key-file> | openssl md5 openssl x509 -noout -modulus -in <certificate-file> | openssl md5 If both the commands result into exactly same output then the certificate and key pair match, otherwise there is a problem. Note that as per http://stackoverflow.com/questions/4658484/ssl-install-problem-key-value-mismatch-but-they-do-match just matching of modulus is not enough. Not sure if it is really so or not. Download server certificate directly from serverTo download SSL/TLS certificate from any server use: openssl s_client -connect {HOSTNAME}:{PORT} -showcerts The certificate would be between BEGIN_CERTIFICATE and END_CERTIFICATE line In case of a normal port with STARTTLS use something similar to: openssl s_client -starttls smtp -connect {HOSTNAME}:{PORT} -showcerts Apart from smtp we can use imap, pop3, ftp or xmpp at the time of this writing.
Converting certificates from one format to anotherWe can use openssl to convert from one certificate type to another. There are following types of certificates: PEM Format (.PEM, .CRT, .CER, .KEY)Used in Linux has --BEGIN CERTIFICATE--, ---END CERTIFICATE--- and is in ASCII formatDER Format (.DER, .CER)Similar to PEM certificate but in binary formatPKCS#7 or P7B Format (.P7B, .P7C)Base 64 or ASCII formatPKCS#12 or PFX Format (.PFX, .P12)Stores CA, intermediate, certificate and key in one binary encrypted format. Used often on Windows to export and import certificates.Convert PEM to DERopenssl x509 -outform der -in certificate.pem -out certificate.der Convert PEM to P7Bopenssl crl2pkcs7 -nocrl -certfile certificate.cer -out certificate.p7b -certfile CACert.cer Convert PEM to PFXopenssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt Convert DER to PEMopenssl x509 -inform der -in certificate.cer -out certificate.pem Convert P7B to PEMopenssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer Convert P7B to PFXopenssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer openssl pkcs12 -export -in certificate.cer -inkey privateKey.key -out certificate.pfx -certfile CACert.cer Convert PFX to PEMopenssl pkcs12 -in certificate.pfx -out certificate.cer -nodes
Viewing certificatesView PEM encoded certificateTo view encoded certificate use: openssl x509 -in cert.pem -text -noout openssl x509 -in cert.cer -text -noout openssl x509 -in cert.crt -text -noout If you get following error: unable to load certificate 12626:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:647:Expecting: TRUSTED CERTIFICATE then that indicates that you are trying to open DER encoded certificate. View DER encoded certificateopenssl x509 -in certificate.der -inform der -text -noout If you get following error: unable to load certificate 13978:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1306: 13978:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:380:Type=X509 then that indicates that you are trying to open PEM encoded certificate. View details of Certificate Signing Request (CSR) fileTo see details of CSR file use: openssl req -noout -text -in <csr-file-name> Refer:
Create certificate chainIn case of pem based chains we can create the chain via: cat <pem-encoded-key> <pem-encoded-crt> <pem-encoded-ca-bundle> > combined-ca-bundle.pem For example: cat client1-without-password.key client1.crt ca-bundle.pem > combined-ca-bundle.pem Note that the private key comes first and then the pem encoded certificate. Finally we have the pem encoded CA bundle. Validate the created file via: openssl crl2pkcs7 -nocrl -certfile combined-ca-bundle.pem | openssl pkcs7 -print_certs -noout In the output you must see:
Validate certificate chainIdeally certificate is signed by CA or by an intermediatory. In chain file we should have our certificate, then intermediary and then finally root CA. To validate certificate chain with only CA and certificate use: openssl verify -CAfile <ca.pem> <cert.pem> To validate certificate chain with CA, intermediate and certificate use: openssl verify -CAfile <ca.pem> -untrusted <intermediate.cert.pem> <cert.pem> If the entire chain is in a single pem file then validate using: openssl crl2pkcs7 -nocrl -certfile <chain.pem> | openssl pkcs7 -print_certs -noout The above should output first server certificate details, then intermediary (if present) and finally root issuer certificate. Refer:
How do I fix not trusted certificate?How to Fix SSL Certificate Error. Diagnose the problem with an online tool.. Install an intermediate certificate on your web server.. Generate a new Certificate Signing Request.. Upgrade to a dedicated IP address.. Get a wildcard SSL certificate.. Change all URLS to HTTPS.. Renew your SSL certificate.. What is pem format for certificate?PEM stands for Privacy Enhanced Mail. The PEM format is often used to represent certificates, certificate requests, certificate chains, and keys. The typical extension for a PEM–formatted file is .
What are .CRT files?A file with . crt extension is a security certificate file that is used by secure websites for establishing secure connections from web server to a browser. Secure websites make it possible to secure data transfers, logins, payment card transactions, and provide protected browsing to the site.
How do I get a local issuer certificate?When ssl certificate problem unable to get local issuer certificate error is caused by a self-signed certificate, the fix is to add the certificate to the trusted certificate store. Open the file ca-bundle. crt located in the directory above, then copy and paste the Git SSL certificate to the end of the file.
|