英文:
split .pfx file into .crt and .key with openssl
问题
我正在尝试为我的API调用实现客户端身份验证。为了测试这个,我正在使用Postman。当我将一个 .pfx 客户端证书添加到Postman并调用API端点时,我收到以下错误:
错误: BAD_PKCS12_DATA
经过一些调查,我发现了将 .pfx 文件拆分为 .crt 和 .key 的提示。因此,我阅读了openssl的文档并尝试了以下操作:
openssl pkcs12 -in [yourfile.pfx] -nocerts -out [drlive.key]
openssl pkcs12 -in [yourfile.pfx] -clcerts -nokeys -out [drlive.crt]
但运行这些命令会抛出错误:
8000:error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag:../openss-1.1.1s/crypto/asn1/tasn_dec.c:1149:
8000:error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 errr:../openssl-1.1.1s/crypto/asn1/tasn_dec.c:309:Type=PKCS12
有人知道问题出在哪里吗?
顺便说一下:我从Azure密钥保管库中导出了 .pfx 文件,使用了以下命令:
az keyvault secret download --file <certname>.pfx --vault-name <keyvaultname> --name <certname>
这个方法很顺利。
为了缩小问题范围,我直接从密钥保管库中下载了 .crt 和 .key 文件,使用了以下命令:
az keyvault certificate download --vault-name <keyvaultname> -n <certname> -f <certname>.crt -e DER
az keyvault secret download --vault-name <keyvaultname> -n <certname> -f <certname>.key
但当我使用通过Azure CLI下载的 .crt 和 .key 文件时,我在Postman中收到另一个错误:
错误: error:0900006e:PEM routines:OPENSSL_internal:NO_START_LINE
这就是为什么我想通过openssl测试将 .pfx 拆分为 .crt 和 .key 的原因。
有人知道提取失败的原因或者我做错了什么吗?
英文:
I am trying to implement client authentication for my API calls. To test this I am using Postman. When adding a .pfx client certificate to Postman and calling the API end point I get:
Error: BAD_PKCS12_DATA
After some digging I found the hint to split the .pfx file into .crt and .key. So I read the openssl documentation and tried the following:
openssl pkcs12 -in [yourfile.pfx] -nocerts -out [drlive.key]
openssl pkcs12 -in [yourfile.pfx] -clcerts -nokeys -out [drlive.crt]
But running these commands throws an error:
8000:error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag:../openss-1.1.1s/crypto/asn1/tasn_dec.c:1149:
8000:error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 errr:../openssl-1.1.1s/crypto/asn1/tasn_dec.c:309:Type=PKCS12
Does anyone know what the problem is?
Btw: I exported the .pfx file from an azure key vault using:
az keyvault secret download --file <certname>.pfx --vault-name <keyvaultname> --name <certname>
which worked fine.
To narrow down the problem, I downloaded the .crt and .key file directly from the keyvault using:
az keyvault certificate download --vault-name <keyvaultname> -n <certname> -f <certname>.crt -e DER
az keyvault secret download --vault-name <keyvaultname> -n <certname> -f <certname>.key
but when I use the .crt and .key file I downloaded via Azure CLI I get another error in Postman:
Error: error:0900006e:PEM routines:OPENSSL_internal:NO_START_LINE
Which is why I wanted to test splitting the .pfx into .crt and .key via openssl.
Anybody has some insight as to why the extraction is failing or what I am doing wrong?
答案1
得分: 2
I was having the exact same issue you are having, also using Azure key vault. What I found is that the resulting secret downloaded appeared to be text when pfx is a binary format. Passing --encoding base64 to the download command seemed to properly write out a binary file (counter-intuitively). openssl then worked fine with this file, using the commands you mentioned (though I had to add a -nodes option to not try and password protect the exported key) and also added -passin pass: to not prompt for an import password. So in summary, these are the commands I ran:
az keyvault secret download --file <certname>.pfx --vault-name <keyvaultname> --name <certname> --encoding base64
openssl pkcs12 -in <certname>.pfx -nocerts -out cert.key -nodes -passin pass:
openssl pkcs12 -in <certname>.pfx -clcerts -nokeys -out cert.crt
英文:
I was having the exact same issue you are having, also using Azure key vault. What I found is that the resulting secret downloaded appeared to be text, when pfx is a binary format. Passing --encoding base64 to the download command, seemed to properly write out a binary file (counter-intuitively). openssl then worked fine with this file, using the commands you mentioned (though I had to add a -nodes option to not try and password protect the exported key) and also added -passin pass: to not prompt for an import password. So in summary, these are the commands I ran:
az keyvault secret download --file <certname>.pfx --vault-name <keyvaultname> --name <certname> --encoding base64
openssl pkcs12 -in <certname>.pfx -nocerts -out cert.key -nodes -passin pass:
openssl pkcs12 -in <certname>.pfx -clcerts -nokeys -out cert.crt
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论