所以我按照这个指南:https://docs.splunk.com/Documentation/Splunk/7.1.2/Security/Howtogetthird-partycertificates
一切都很好,直到我从CA获得新证书。我所拥有的是来自他们的.crt文件,其开头是:
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 51698 (0xc9f2)
Signature Algorithm: sha256WithRSAEncryption
Issuer: <stuff here>
Validity
Not Before: Aug 29 18:35:08 2018 GMT
Not After : Dec 1 18:35:08 2020 GMT
Subject: <stuff here>
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
<stuff:here>
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication, E-mail Protection, Time Stamping, Microsoft Individual Code Signing, Microsoft Commercial Code Signing, Microsoft Trust List Signing, Microsoft Encrypted File System
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment
X509v3 Subject Alternative Name:
DNS:<<stuff.com>
Signature Algorithm: sha256WithRSAEncryption
<stuff:here>
根据splunk站点,这应该是PEM格式,因为当我运行他们的ssl命令来验证我收到此错误:
# /opt/splunk/bin/splunk cmd openssl x509 -in SignedCert.crt -text
unable to load certificate
139880334464688:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:707:Expecting: TRUSTED CERTIFICATE
即使我将crt文件重命名为pem,也会发生同样的事情。
我哪里错了?
您本身没有做错任何事情,您需要从CA获取您的证书,其格式应为“PEM”格式,如下所示:
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
你可以随意命名,这没有任何后果。但内容应该是这样的。我会再次建议SignedCert.crt,因为在语义上它是多余的,证书是发布密钥,具有元数据和签名。所以它总是签名。您应该在与将使用它的服务/网站相关的内容后命名。
如果你有这种格式,你可以自己做openssl x509 -text -in +文件名,如果一切顺利,它确实会产生你在问题开头的文本输出。但是在实践中不可能将文本输出转换回PEM。