EPP 呼叫上的客户证书
我正在尝试在 curl 调用中使用 cacert.org 提供的免费客户端证书.检查以下...
I am trying to use free client certificate by cacert.org in curl call. check following...
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, 'https://url.com');
curl_setopt($ch, CURLOPT_TIMEOUT, 30);
curl_setopt($ch, CURLOPT_FRESH_CONNECT, 1);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2);
curl_setopt($ch, CURLOPT_SSLCERT, 'cert.crt');
curl_setopt($ch, CURLOPT_HTTPHEADER, array('Content-Type: text/xml'));
curl_setopt($ch, CURLOPT_POSTFIELDS, $xml);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
我已将证书下载为 PEM,现在出现以下错误...
I have downloaded certificate as PEM, now i am getting following error...
unable to set private key file: 'cert.crt' type PEM
我已经尝试了所有方法但无法修复,也尝试了谷歌.请帮忙.
I have tried all way but could not fix, tried google as well. Please help.
推荐答案
我认为问题在于您的证书文件确实不包含私钥,并且没有使用 CURLOPT_SSLKEY 选项指向证书对应的私钥.
I believe the problem is that your certificate file does not contain the private key and it isn't being supplied separately using the CURLOPT_SSLKEY option which points to the corresponding private key for the certificate.
我猜证书是从 CA 颁发给您并安装在您的浏览器中的.发生这种情况时,浏览器会将私钥存储在与证书分开的安全位置(取决于操作系统和浏览器).
I'm guessing the certificate was issued to you from the CA and installed in your browser. When this happens the private key is stored by the browser in a secure location separate from the cert (depends on the OS & browser).
大多数浏览器不允许您在未加密的情况下导出证书和私钥(提供密码).但是根据你 PEM 文件的内容,没有对应的私钥.
Most browsers won't let you export the certificate and private key without encrypting it (supplying a password). But based on the contents of your PEM file, there is no corresponding private key.
要解决此问题,您可能需要执行几个步骤:
To resolve this you'll probably have to go through a few steps:
- 再次从浏览器中导出证书并确保其中包含私钥
- Win/Linux 上的 Chrome 和 Windows 上的 Internet Explorer 将要求您输入密码.证书应导出为 PKCS#12 (.p12) 文件
现在的问题是私钥是加密的,据我所知,它需要为 cURL 解密
The problem now is that the private key is encrypted and it needs to be unencrypted for cURL as far as I know
- 使用
openssl解密私钥并将证书和密钥导出为PEM格式 openssl pkcs12 -in cert.p12 -nodes(这将询问您从浏览器导出时用于加密的密码)(cert.p12 是 PKCS12 格式的证书和私钥.-nodes允许在不加密的情况下导出私钥)
- Use
opensslto decrypt the private key and export the certificate and key to PEM format openssl pkcs12 -in cert.p12 -nodes(this will ask for the password used to encrypt when you exported from the browser) (cert.p12 is the cert & private key in PKCS12 format.-nodesallows the private key to be exported without encryption)
这将以 PEM 格式将证书和密钥打印到标准输出.
This will print to standard output the certificate and key in PEM format.
您应该看到两个部分:
-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----
和
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
您很可能已经拥有证书,但您需要将私钥保存到另一个文件中.由于在服务器上没有加密,请注意正确设置权限,通常为0400,以免其他用户无法访问
You already have the cert most likely, but you need to save the private key to another file. Since it isn't encrypted on the server, take great care to set the permissions properly, typically 0400 so other users can't access it
相关文章