所以我一直在遵循本指南: https://docs.splunk.com/Documentation/Splunk/7.1.2/Security/Howtogetthird-partycertificates
一切顺利,直到我从CA取回新证书为止。我所拥有的是来自他们的.crt
文件,其开头为:
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 51698 (0xc9f2)
Signature Algorithm: sha256WithRSAEncryption
Issuer: <stuff here>
Validity
Not Before: Aug 29 18:35:08 2018 GMT
Not After : Dec 1 18:35:08 2020 GMT
Subject: <stuff here>
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
<stuff:here>
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication, E-mail Protection, Time Stamping, Microsoft Individual Code Signing, Microsoft Commercial Code Signing, Microsoft Trust List Signing, Microsoft Encrypted File System
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment
X509v3 Subject Alternative Name:
DNS:<<stuff.com>
Signature Algorithm: sha256WithRSAEncryption
<stuff:here>
根据splunk网站,此文件应采用PEM格式,如我运行其ssl命令以验证是否收到此错误:
# /opt/splunk/bin/splunk cmd openssl x509 -in SignedCert.crt -text
unable to load certificate
139880334464688:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:707:Expecting: TRUSTED CERTIFICATE
即使我将crt
文件重命名为pem
,也会发生同样的事情。
我要去哪里错了?
答案 0 :(得分:0)
您本质上没有做错任何事情,您需要从CA处以“ PEM”格式获得证书,该证书应如下所示:
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
您可以随意命名,这没有任何后果。但是内容应该是这样的。
我会建议再次SignedCert.crt
,因为从语义上讲它是多余的,证书是带有元数据和签名的发布密钥。因此,它始终是签名的。您应该使用与将要使用它的服务/网站相关的名称来命名它。
如果采用这种格式,则可以自己编写openssl x509 -text -in
+文件名,如果一切顺利,则确实会产生问题开头的文本输出。但是实际上不可能将文本输出转换回PEM。