我正在使用cUrl从一个公司网站请求数据,该网站使用他们发送给我的.cer证书。
cUrl --header "Content-Type: text/xml;charset=UTF-8" \
--data @bustaRequestISEE2015ConsultazioneAttestazione.xml \
-o bustaResponseISEE2015ConsultazioneAttestazione.xml \
--cert ./caaffabisrl.cer \
https://istitutonazionaleprevidenzasociale.spcoop.gov.it/PD
当我运行它时,我收到以下错误消息:
curl:(58)无法加载PEM客户端证书,OpenSSL错误错误:0906D06C:PEM例程:PEM_read_bio:无起始行,(未找到密钥,密码短语错误,或文件格式错误?)
有人能帮我吗?
谢谢克里斯蒂亚诺。
3条答案
按热度按时间7vhp5slm1#
如果只使用客户端证书而不使用客户端私钥,则无法通过curl连接到TLS服务器。要么是他们忘记向您发送私钥文件,要么是他们向您发送的不是客户端证书而是用于验证的服务器证书。
首先我会尝试使用
--cacert
而不是--cert
,也就是说,告诉curl这是 * 服务器的 * 证书,curl可以使用它来验证服务器是否是您所认为的服务器。您也可以尝试删除
--cert
,而不使用--cacert
,这样可能会得到一个错误消息:服务器不受信任。然后添加--insecure
参数,看看它是否有效。我不会保留该参数,因为这样就无法证明您在与谁交谈。我的猜测是,它是服务器证书,使用
--cacert
而不是--cert
将解决这个问题。busg9geu2#
我猜想您的证书文件是DER编码的二进制证书,而不是base-64编码的证书。要将二进制转换为base-64,可以使用OpenSSL。
我总是忘记所有的参数,并有以下网站书签,因为它提供了如何转换几乎任何证书格式的例子。https://www.sslshopper.com/ssl-converter.html
p8h8hvxi3#
First, you need to specify whether you're expected to perform two-way TLS/SSL or MTLS (mutual TLS). This would typically be the reason for sending a certificate. If they sent the server certificate, but you can connect to the server with a browser, you can down load the certificate. If their server is configured to send the server certificate and CA chain, then you can get the entire chain in a single request using "openssl s_client -connect [hostname:port] -showcerts". Save the certs in the console to a file, copying the cert blob(s) to individual cert files (cert1.crt, cert2.crt). However, if they are expecting MTLS and attempting to send a client certificate to you, either you've already generated a private key and CSR (certificate signing request) and send them the CSR. They would have then signed a certificate with their CA certificate using the CSR. The cert they returned would then need to be paired with the private key used to generate the CSR. They should not be generating the public/private key pair and sending them over mail. The private key should be stored security on the one system used to establish the connection. If it's one-way (server ssl only), then your client system (assuming it's not the browser), needs a truststore file, with the CA certificate chain installed and set to trusted. If the platform is Java, read Java's keytool documentation. Note, a keystore is for your systems public/private keypair. A truststore is for the CA certificates that you trust to sign public certificates that your system should trust as being authentic. You need to read any of the PKI x509 overviews by DigiCert, SSLABS, Sectigo, etc.