Erro ao converter certificado crt para pem

4

Gerei um certificado de CA usando easyRSA e pretendo usá-lo com o FreeRadius para usar starttls, agora descobri que o FreeRadius usa o formato pem para certificados, mas em No meu caso, o certificado está em formato binário, portanto, tentei usar os seguintes comandos para converter meu certificado de crt para o formato pem :

root@s1:/etc/freeradius/certs/easy-rsa/keys# openssl x509 -inform DER -in server.crt -out server.pem -text
unable to load certificate
3074016960:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1197:
3074016960:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:374:Type=X509

Segundo:

root@s1:/etc/freeradius/certs/easy-rsa/keys# openssl x509 -in server.crt -inform DER -out server.pem -outform PEM
unable to load certificate
3073529536:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1197:
3073529536:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:374:Type=X509

Mas, como visto, recebo sempre um erro e não sei porquê.

E aqui está o meu arquivo server.crt:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=AT, ST=ST, L=Graz, O=Noureldin, OU=IT, CN=noureldin.local/name=Noureldin-CA/[email protected]
        Validity
            Not Before: Jun 25 13:07:51 2016 GMT
            Not After : Jun 23 13:07:51 2026 GMT
        Subject: C=AT, ST=ST, L=Graz, O=Noureldin, OU=IT, CN=OpenVPN-Server/name=OpenVPN-Server/[email protected]
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:b6:c6:ec:91:f5:c8:23:8f:62:d4:14:18:04:fe:
                    b4:fd:5e:9b:47:11:07:52:45:fb:b9:8e:2f:55:c0:
                    f6:59:53:33:a1:56:4d:5d:61:c4:eb:b6:a6:67:9d:
                    e1:fd:68:b6:32:a8:d4:41:32:40:a3:16:59:8d:a3:
                    7f:63:b6:f4:bd:9d:5f:80:ba:ef:d4:94:c8:56:d0:
                    bc:2c:9c:03:cb:4c:b9:04:7e:d5:52:01:be:7b:c1:
                    d9:fb:80:3c:29:82:ff:52:89:47:2c:4a:e7:5d:6f:
                    3c:96:21:5c:bb:81:08:a3:27:34:11:f2:cb:c1:a2:
                    e5:00:e9:fb:97:d4:7e:df:76:17:02:5a:60:cc:80:
                    0d:de:2c:02:3a:16:a9:20:f4:8e:cc:96:23:83:81:
                    48:6b:5d:9e:be:49:20:d3:d8:05:63:cc:6a:ef:b2:
                    08:a3:0d:c7:06:23:7d:62:e7:ff:9d:b4:96:34:28:
                    b0:29:05:fa:4f:6b:1a:3f:df:5b:24:f3:26:4e:32:
                    33:8d:1a:72:25:00:36:d0:72:9e:5e:be:83:8c:d8:
                    46:22:e9:3b:04:58:03:a8:13:24:cd:45:76:58:de:
                    30:0d:36:ca:49:68:4b:c2:fc:c0:1e:e9:01:30:57:
                    6f:be:ef:9b:ed:77:e6:cc:17:1c:a5:9d:04:eb:2a:
                    69:ad
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Cert Type:
                SSL Server
            Netscape Comment:
                Easy-RSA Generated Server Certificate
            X509v3 Subject Key Identifier:
                7A:7C:1E:7D:E7:CA:91:20:F5:FC:E2:45:65:F9:67:D3:ED:E7:F9:87
            X509v3 Authority Key Identifier:
                keyid:AA:6F:06:92:CC:92:F9:09:B4:F9:32:05:9F:45:20:7D:3A:22:53:3B
                DirName:/C=AT/ST=ST/L=Graz/O=Noureldin/OU=IT/CN=noureldin.local/name=Noureldin-CA/[email protected]
                serial:D2:5D:DB:1E:5B:AA:CC:BE

            X509v3 Extended Key Usage:
                TLS Web Server Authentication
            X509v3 Key Usage:
                Digital Signature, Key Encipherment
            X509v3 Subject Alternative Name:
                DNS:server
    Signature Algorithm: sha256WithRSAEncryption
         32:16:8a:b9:30:4a:23:85:65:01:e4:1f:89:3d:14:f8:55:fb:
         90:a2:98:29:aa:83:e4:c1:d2:95:31:62:a9:61:2a:8a:bf:eb:
         18:8a:e0:3d:42:7e:35:2c:b9:11:eb:1c:f8:63:a1:e8:75:61:
         6c:40:76:4f:ae:21:c3:a8:c7:d2:70:c8:96:6b:cd:6a:89:d9:
         9e:34:d0:06:4c:10:c6:7b:bb:af:fa:bb:ea:14:82:21:f7:78:
         99:2f:88:c8:d0:1c:e6:1f:db:d5:00:d6:30:d1:54:72:db:c0:
         fa:4e:cf:ea:66:42:f2:c6:d3:ae:b5:c1:59:4c:ca:84:fc:80:
         28:63:5d:d7:5b:9d:22:98:d2:9b:10:5d:4d:99:d2:ee:9c:a2:
         13:75:fc:dc:95:9d:27:cc:df:f2:bd:89:5f:b4:43:f7:a8:f5:
         84:4c:bb:54:0d:ca:00:6e:cb:e1:21:a0:34:6d:7f:18:27:3c:
         0d:cf:b4:6a:c1:f0:ab:ed:63:df:d3:b5:cc:dd:d7:da:67:97:
         6f:53:10:22:43:c6:dc:5b:06:0e:88:44:24:03:d2:9a:8d:07:
         57:b0:19:cd:ce:6e:be:ef:bc:c2:69:8b:13:b6:7c:b5:c2:0c:
         a9:2a:08:e1:45:0d:42:37:c2:1f:e5:2b:d6:f0:26:72:f5:c0:
         43:83:f0:78
-----BEGIN CERTIFICATE-----
MIIFTTCCBDWgAwIBAgIBATANBgkqhkiG9w0BAQsFADCBozELMAkGA1UEBhMCQVQx
CzAJBgNVBAgTAlNUMQ0wCwYDVQQHEwRHcmF6MRIwEAYDVQQKEwlOb3VyZWxkaW4x
CzAJBgNVBAsTAklUMRgwFgYDVQQDEw9ub3VyZWxkaW4ubG9jYWwxFTATBgNVBCkT
DE5vdXJlbGRpbi1DQTEmMCQGCSqGSIb3DQEJARYXbS5pLm5vdXJlbGRpbkBnbWFp
bC5jb20wHhcNMTYwNjI1MTMwNzUxWhcNMjYwNjIzMTMwNzUxWjCBpDELMAkGA1UE
BhMCQVQxCzAJBgNVBAgTAlNUMQ0wCwYDVQQHEwRHcmF6MRIwEAYDVQQKEwlOb3Vy
ZWxkaW4xCzAJBgNVBAsTAklUMRcwFQYDVQQDEw5PcGVuVlBOLVNlcnZlcjEXMBUG
A1UEKRMOT3BlblZQTi1TZXJ2ZXIxJjAkBgkqhkiG9w0BCQEWF20uaS5ub3VyZWxk
aW5AZ21haWwuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtsbs
kfXII49i1BQYBP60/V6bRxEHUkX7uY4vVcD2WVMzoVZNXWHE67amZ53h/Wi2MqjU
QTJAoxZZjaN/Y7b0vZ1fgLrv1JTIVtC8LJwDy0y5BH7VUgG+e8HZ+4A8KYL/UolH
LErnXW88liFcu4EIoyc0EfLLwaLlAOn7l9R+33YXAlpgzIAN3iwCOhapIPSOzJYj
g4FIa12evkkg09gFY8xq77IIow3HBiN9Yuf/nbSWNCiwKQX6T2saP99bJPMmTjIz
jRpyJQA20HKeXr6DjNhGIuk7BFgDqBMkzUV2WN4wDTbKSWhLwvzAHukBMFdvvu+b
7XfmzBccpZ0E6ypprQIDAQABo4IBhzCCAYMwCQYDVR0TBAIwADARBglghkgBhvhC
AQEEBAMCBkAwNAYJYIZIAYb4QgENBCcWJUVhc3ktUlNBIEdlbmVyYXRlZCBTZXJ2
ZXIgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFHp8Hn3nypEg9fziRWX5Z9Pt5/mHMIHY
BgNVHSMEgdAwgc2AFKpvBpLMkvkJtPkyBZ9FIH06IlM7oYGppIGmMIGjMQswCQYD
VQQGEwJBVDELMAkGA1UECBMCU1QxDTALBgNVBAcTBEdyYXoxEjAQBgNVBAoTCU5v
dXJlbGRpbjELMAkGA1UECxMCSVQxGDAWBgNVBAMTD25vdXJlbGRpbi5sb2NhbDEV
MBMGA1UEKRMMTm91cmVsZGluLUNBMSYwJAYJKoZIhvcNAQkBFhdtLmkubm91cmVs
ZGluQGdtYWlsLmNvbYIJANJd2x5bqsy+MBMGA1UdJQQMMAoGCCsGAQUFBwMBMAsG
A1UdDwQEAwIFoDARBgNVHREECjAIggZzZXJ2ZXIwDQYJKoZIhvcNAQELBQADggEB
ADIWirkwSiOFZQHkH4k9FPhV+5CimCmqg+TB0pUxYqlhKoq/6xiK4D1CfjUsuRHr
HPhjoeh1YWxAdk+uIcOox9JwyJZrzWqJ2Z400AZMEMZ7u6/6u+oUgiH3eJkviMjQ
HOYf29UA1jDRVHLbwPpOz+pmQvLG0661wVlMyoT8gChjXddbnSKY0psQXU2Z0u6c
ohN1/NyVnSfM3/K9iV+0Q/eo9YRMu1QNygBuy+EhoDRtfxgnPA3PtGrB8KvtY9/T
tczd19pnl29TECJDxtxbBg6IRCQD0pqNB1ewGc3Obr7vvMJpixO2fLXCDKkqCOFF
DUI3wh/lK9bwJnL1wEOD8Hg=
-----END CERTIFICATE-----

Eu vejo que aqui no buttom há um formato pem, isso significa que meu arquivo crt tem o formato crt e pem? então, nesse caso, posso simplesmente excluir uma das partes e conseguir convertê-la normalmente? (Eu sei que não faz sentido excluir uma parte apenas para convertê-lo), porque estou recebendo um erro na inicialização do tls e não tenho certeza se o problema vem do formato do cert ou de outra coisa.

Alguém poderia me ajudar a resolver isso?

    
por Mohammed Noureldin 26.06.2016 / 10:55

1 resposta

6

Seu certificado já é um certificado PEM. Se não for aceito, faça uma cópia, remova os detalhes do certificado acima de -----BEGIN CERTIFICATE----- e tente novamente.

    
por 26.06.2016 / 11:19