OpenSSL Keystore Generation for Trinidad
https://stackoverflow.com/questions/11318754
-
18-06-2021 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russianسؤال
I am trying to use openSSL to set up an https connection for my application. I'm running a Neo4j 1.2.2 database, with a Trinidad 1.3.5 web server, using the Rails 3.1 and ruby 1.9.
I have a Thawte trial certificate, ca_cert.crt, their intermediate and root certificates, ca_intermediate.crt and ca_root.crt respectively, and my own private key, ca_private.pem. What openssl command do I need to run to create a keystore, which I can specify in my app's trinidad.yaml config file?
So far the "looks-closest-to-right" thing I've tried is:
pkcs12 –export –in ca_cert.crt inkey ca_private.pem –out keystore.p12 –name tomcat
and it gives me the error:
unable to load certificates
6380:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:.\crypto\as
n1\tasn_dec.c:1319:
6380:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:.\
crypto\asn1\tasn_dec.c:381:Type=X509_CINF
6380:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 e
rror:.\crypto\asn1\tasn_dec.c:751:Field=cert_info, Type=X509
6380:error:0907400D:PEM routines:PEM_X509_INFO_read_bio:ASN1 lib:.\crypto\pem\pe
m_info.c:258:
error in pkcs12
It looks to me like openssl doesn't like the format I have the files in, though I have tried nearly every combination of the .pem, .crt, .cer, and .key extensions I can think of to no avail. I'm new to SSL entirely, so I hope I'm just doing something stupid and its an easy fix...
Here is the example I've been trying to follow: https://github.com/trinidad/trinidad/wiki/ssl-end-to-end-example
المحلول
From this answer it seems that Thawte certificates are formatted as PKCS#7, while openssl pkcs12 -export command expects PEM. Certificate in PKCS#7 can be converted using modified version of command from previously linked answer.
$ openssl pkcs7 -in ca_cert.crt -print_certs | openssl x509 -outform PEM > ca_cert.pem
Then executing command, that you provided, creates PKCS#12 keystore.
$ openssl pkcs12 –export –in ca_cert.pem -inkey ca_private.pem –out keystore.p12 –name tomcat
