将.pfx文件使用openssl分割成.crt和.key文件。

huangapple go评论63阅读模式
英文:

split .pfx file into .crt and .key with openssl

问题

我正在尝试为我的API调用实现客户端身份验证。为了测试这个,我正在使用Postman。当我将一个 .pfx 客户端证书添加到Postman并调用API端点时,我收到以下错误:

错误: BAD_PKCS12_DATA

经过一些调查,我发现了将 .pfx 文件拆分为 .crt 和 .key 的提示。因此,我阅读了openssl的文档并尝试了以下操作:

openssl pkcs12 -in [yourfile.pfx] -nocerts -out [drlive.key]
openssl pkcs12 -in [yourfile.pfx] -clcerts -nokeys -out [drlive.crt]

但运行这些命令会抛出错误:

8000:error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag:../openss-1.1.1s/crypto/asn1/tasn_dec.c:1149:
8000:error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 errr:../openssl-1.1.1s/crypto/asn1/tasn_dec.c:309:Type=PKCS12

有人知道问题出在哪里吗?

顺便说一下:我从Azure密钥保管库中导出了 .pfx 文件,使用了以下命令:

az keyvault secret download --file <certname>.pfx --vault-name <keyvaultname> --name <certname>

这个方法很顺利。

为了缩小问题范围,我直接从密钥保管库中下载了 .crt 和 .key 文件,使用了以下命令:

az keyvault certificate download --vault-name <keyvaultname> -n <certname> -f <certname>.crt -e DER
az keyvault secret download --vault-name <keyvaultname> -n <certname> -f <certname>.key

但当我使用通过Azure CLI下载的 .crt 和 .key 文件时,我在Postman中收到另一个错误:

错误: error:0900006e:PEM routines:OPENSSL_internal:NO_START_LINE

这就是为什么我想通过openssl测试将 .pfx 拆分为 .crt 和 .key 的原因。

有人知道提取失败的原因或者我做错了什么吗?

英文:

I am trying to implement client authentication for my API calls. To test this I am using Postman. When adding a .pfx client certificate to Postman and calling the API end point I get:

Error: BAD_PKCS12_DATA

After some digging I found the hint to split the .pfx file into .crt and .key. So I read the openssl documentation and tried the following:

openssl pkcs12 -in [yourfile.pfx] -nocerts -out [drlive.key]
openssl pkcs12 -in [yourfile.pfx] -clcerts -nokeys -out [drlive.crt]

But running these commands throws an error:

8000:error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag:../openss-1.1.1s/crypto/asn1/tasn_dec.c:1149:
8000:error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 errr:../openssl-1.1.1s/crypto/asn1/tasn_dec.c:309:Type=PKCS12

Does anyone know what the problem is?
Btw: I exported the .pfx file from an azure key vault using:

az keyvault secret download --file &lt;certname&gt;.pfx --vault-name &lt;keyvaultname&gt; --name &lt;certname&gt;

which worked fine.

To narrow down the problem, I downloaded the .crt and .key file directly from the keyvault using:

az keyvault certificate download --vault-name &lt;keyvaultname&gt; -n &lt;certname&gt; -f &lt;certname&gt;.crt -e DER
az keyvault secret download --vault-name &lt;keyvaultname&gt; -n &lt;certname&gt; -f &lt;certname&gt;.key

but when I use the .crt and .key file I downloaded via Azure CLI I get another error in Postman:

Error: error:0900006e:PEM routines:OPENSSL_internal:NO_START_LINE

Which is why I wanted to test splitting the .pfx into .crt and .key via openssl.

Anybody has some insight as to why the extraction is failing or what I am doing wrong?

答案1

得分: 2

I was having the exact same issue you are having, also using Azure key vault. What I found is that the resulting secret downloaded appeared to be text when pfx is a binary format. Passing --encoding base64 to the download command seemed to properly write out a binary file (counter-intuitively). openssl then worked fine with this file, using the commands you mentioned (though I had to add a -nodes option to not try and password protect the exported key) and also added -passin pass: to not prompt for an import password. So in summary, these are the commands I ran:

az keyvault secret download --file <certname>.pfx --vault-name <keyvaultname> --name <certname> --encoding base64
openssl pkcs12 -in <certname>.pfx -nocerts -out cert.key -nodes -passin pass:
openssl pkcs12 -in <certname>.pfx -clcerts -nokeys -out cert.crt
英文:

I was having the exact same issue you are having, also using Azure key vault. What I found is that the resulting secret downloaded appeared to be text, when pfx is a binary format. Passing --encoding base64 to the download command, seemed to properly write out a binary file (counter-intuitively). openssl then worked fine with this file, using the commands you mentioned (though I had to add a -nodes option to not try and password protect the exported key) and also added -passin pass: to not prompt for an import password. So in summary, these are the commands I ran:

az keyvault secret download --file &lt;certname&gt;.pfx --vault-name &lt;keyvaultname&gt; --name &lt;certname&gt; --encoding base64
openssl pkcs12 -in &lt;certname&gt;.pfx -nocerts -out cert.key -nodes -passin pass:
openssl pkcs12 -in &lt;certname&gt;.pfx -clcerts -nokeys -out cert.crt

huangapple
  • 本文由 发表于 2023年4月4日 17:33:01
  • 转载请务必保留本文链接:https://go.coder-hub.com/75927762.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定