1

I am following guide by https://thrift.apache.org/test/keys but when I try to sign the client certificate with the server.key with the command:

openssl x509 -req -days 3000 -in client.csr -CA CA.pem -CAkey server.key -set_serial 01 -out client.crt

I get the following error:

Signature ok
subject=C = AU, ST = Some-State, O = Internet Widgits Pty Ltd
unable to load certificate
13644:error:0909006C:PEM routines:get_name:no start line:crypto\pem\pem_lib.c:745:Expecting: TRUSTED CERTIFICATE

CA.pem file:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            02:9b:5f:55:60:5a:bf:5b:ff:5a:b4:a4:af:6f:da:b1:de:21:4e:ec
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = AU, ST = Some-State, O = Internet Widgits Pty Ltd
        Validity
            Not Before: Mar  5 08:02:13 2021 GMT
            Not After : May 22 08:02:13 2029 GMT
        Subject: C = AU, ST = Some-State, O = Internet Widgits Pty Ltd
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:de:f6:78:f9:15:b0:ae:f7:f0:bf:2e:d1:f7:4f:
                    84:b5:ba:55:e7:36:c7:54:4e:df:d3:65:6b:22:d4:
                    .... missin values ....
                    6b:cc:15:81:88:fa:b1:75:00:f7:e5:e9:46:79:4a:
                    25:96:b5:c0:f8:15:46:c3:69:55:79:8a:09:1c:c2:
                    84:4d
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                78:7B:B3:8A:F0:C0:DB:62:30:EA:E5:CD:5B:FD:5E:F9:C3:3D:8A:0B
            X509v3 Authority Key Identifier: 
                keyid:78:7B:B3:8A:F0:C0:DB:62:30:EA:E5:CD:5B:FD:5E:F9:C3:3D:8A:0B

            X509v3 Basic Constraints: critical
                CA:TRUE
    Signature Algorithm: sha256WithRSAEncryption
         0e:06:d3:24:ac:03:56:6a:6f:02:2a:67:cb:38:37:31:e5:9c:
         01:3d:41:09:0b:a7:9e:da:02:67:5f:ee:3b:58:03:c2:9d:2f:
         .... missin values ....
         cc:83:be:ee:29:b1:15:2b:b8:a0:9f:ef:29:5e:2b:3d:25:68:
         80:df:8f:cc:26:ce:56:92:8b:e4:6b:84:1b:09:07:11:66:b5:
         32:47:15:18
-----BEGIN CERTIFICATE-----
....data...
-----END CERTIFICATE-----

What could be the problem?

  • *"What could be the problem?"* - the contents of CA.pem probably does not match what is expected. What is the contents of CA.pem? – Steffen Ullrich Mar 05 '21 at 09:42
  • Delete everything in `CA.pem` before the `-----BEGIN CERTIFICATE-----` line. – Crowman Mar 05 '21 at 13:22
  • I tried that, but I get the same error. –  Mar 05 '21 at 13:32
  • You'd need to show exactly what you're doing from the very beginning, then, along with the version of OpenSSL you're using. – Crowman Mar 05 '21 at 13:42
  • Well I followed the tutorial linked above. I executed line by line. The OpenSSl version is 1.1 –  Mar 05 '21 at 15:56
  • Actually 1.1.1j –  Mar 05 '21 at 16:28
  • What happens when you try `openssl x509 -in CA.pem`? – Reinier Torenbeek Mar 07 '21 at 21:12
  • I get the same error :/ –  Mar 07 '21 at 21:43
  • 1
    Yes -- from your earlier description, that is not a surprise. I was not able to reproduce your issue but it looks like `CA.pem` somehow got corrupted (although that is not visible from the contents that you posted). Did you transfer it between machines maybe? Does this issue get reproduced when you try the same commands again? Are you able to upload the exact file somewhere? – Reinier Torenbeek Mar 08 '21 at 00:58
  • I added an answer that explains why the last command fails, but not the root cause. Can you try replacing the command `openssl x509 -in server.crt -text > CA.pem` with `openssl x509 -in server.crt -text -out CA.pem` and see if it makes any difference? – Reinier Torenbeek Mar 08 '21 at 19:01

1 Answers1

0

The file CA-2.pem that you uploaded reveals the problem: its contents are encoded in UTF16, meaning that every character takes up 2 bytes. Out of the box, the openssl x509 tool does not deal properly with that because it expects plain ASCII input. String comparisons will fail, which explains why the tool was not able to find that line starting with -----BEGIN

The easiest way to fix your problem is by converting the file's ecnoding into UTF8-encoding. You can do this by opening the file with Notepad -- in the bottom right corner it will indicate that the encoding is in UTF16 LE -- and saving it as UTF8. Or you could use a Powershell command like this:

> powershell -c "Get-Content CA.pem | Set-Content -Encoding utf8 CA-utf8.pem"

(See UTF-16 to UTF-8 conversion (for scripting in Windows))

At that point, the command openssl x509 -in CA-utf8.pem succeeds and I expect that your other command will succeed as well, if you use this UTF8-encoded version of the certificate.

It is unclear to me how your CA file ended up being encoded as UTF16 in the first place though, I may try to figure that out later.

Reinier Torenbeek
  • 16,669
  • 7
  • 46
  • 69