Amazon EC2 - HTTPS - 证书正文无效。正文不得包含私钥

tag-icon tag-icon amazon-ec2 ssl
Amazon EC2 - HTTPS - 证书正文无效。正文不得包含私钥

我对 Amazon EC2 还很陌生。我正在尝试为我的网站设置 https,我遵循 amazon doc 的官方说明:http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/configuring-https.html

当我使用 AWS 命令​​上传签名证书时

aws iam upload-server-certificate --server-certificate-name dichcumga --certificate-body file://mycert.pem --private-key file://signedkey.pem --certificate-chain file://mychain.pem

我得到了错误

调用 UploadServerCertificate 操作时发生客户端错误 (MalformedCertificate):证书正文无效。正文中不得包含私钥。

mycert.pem 是 private.pem 和signedkey.pem(由VeriSign返回)的组合

copy private.pem+signedkey.pem mycert.pem

请帮忙解释一下。先谢谢了。

[更新 1 - 2014 年 8 月 21 日]:CA 返回的公共证书问题

根据@mezi的建议,我按照以下说明进行操作:http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/ssl-server-cert.html

但是我遇到了 CA 返回的公共证书问题。

  • 我提交 CSR 请求
  • CA 向我返回一封电子邮件,其中包含纯文本形式的公共证书

-----开始证书----- MIAGCSqGSIb3DQEHAqCAMIACAQExADALBgkqhkiG9w0BBwGggDCCBPYwggPeoAMC AQICED0qLOh43VCbqW0sDf5mb+swDQYJKoZIhvcNAQEFBQAwgcsxCzAJBgNVBAYT AlVTMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEwMC4​​GA1UECxMnRm9yIFRlc3Qg UHVycG9zZXMgT25seS4gIE5vIGFzc3VyYW5jZXMuMUIwQAYDVQQLEzlUZXJtcyBv ZiB1c2UgYXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL2Nwcy90ZXN0Y2EgKGMp MDkxLTArBgNVBAMTJFZlcmlTaWduIFRyaWFsIFNlY3VyZSBTZXJ2ZXIgQ0EgLSBH MjAeFw0xNDA4MjEwMDAwMDBaFw0xNDA5MjAyMzU5NTlaMFwxCzAJBgNVBAYTAlZO MRIwEAYDVQQIEwlIb0NoaU1pbmgxEjAQBgNVBAcUCUhvQ2hpTWluaDEQMA4GA1UE ChQHRXBpbmlvbjETMBEGA1UEAxQKZGljaGN1bS5nYTCCASIwDQYJKoZIhvcNAQEB BQADggEPADCCAQoCggEBALA9p0sxl7egvc93GUsy9i0ShGBt//9dr+nqudpAfPtP Bq4ZS/xle1YiX3zilOQ4uAduGfKpEQc1/h1Pa/ShUXhwxXvdmdOXTOEBUIHaGKKl wG3pDpFfNGIo5mf+5sPIEEHsakyp6lwBgmESELI6BnV/FuVuxvdW3T4gORXaLJsh xqW/69kO62FVP8pTcj50r4vRk5SkHos5C2zKKcCCdE/OAWyQ7rRW1bSM6SCipWQh 1xvYFqKzscAwtMYVbow17p9RWx50J3Jv8U0+je7XzgFD2O2E8bCvpaR5DVGRNbbF pdoUZA0L2liV+/hGVbsDbNxY7gCS/PoJWvsMptQfy9cCAwEAAaOCAUIwggE+MBUG A1UdEQQOMAyCCmRpY2hjdW0uZ2EwCQYDVR0TBAIwADAOBgNVHQ8BAf8EBAMCBaAw KwYDVR0fBCQwIjAgoB6gHIYaaHR0cDovL3NxLnN5bWNiLmNvbS9zcS5jcmwwZQYD VR0gBF4wXDBaBgpghkgBhvhFAQcVMEwwIwYIKwYBBQUHAgEWF2h0dHBzOi8vZC5z eW1jYi5jb20vY3BzMCUGCCsGAQUFBwICMBkWF2h0dHBzOi8vZC5zeW1jYi5jb20v cnBhMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAfBgNVHSMEGDAWgBQo FxOKvdaitdwGLLe2jtoQZmBu5TA2BggrBgEFBQcBAQQqMCgwJgYIKwYBBQUHMAKG Gmh0dHA6Ly9zcS5zeW1jYi5jb20vc3EuY3J0MA0GCSqGSIb3DQEBBQUAA4IBAQDE UtCDek5Gq0Ilw+WCCD6jz+s35wxlLPvNIeIGaRky2PwnXdrAZV8iwfVmg26Nua9W JNsKlnsdiev854M7ztQv3IjArvS+fBIj5o4T9WKdQP+EUISPI2yTVqa1bu6mDZEw EhwxAGCVT4Na5EjEvD2zc/V5ukFnGK8wFFty4lY/YclOAdFIAILHb/4vOeebdWcJ X2d6+KigvcQuIqOce8MhB48DgpeEBWNZjQMr3D3jLHgs+c9QFEaHkjXFF14Kxo1r D3KaexqdyQJLH26z7hjd58TPeMvx++69m6f/oEKG63pUoF2XfRwaCIVgQohh3I2D PCxcgFJ21zCFBNKHJ3JFMIIFfDCCBGSgAwIBAgIQfju3hLvGVKvSuNZ37MOUqDAN BgkqhkiG9w0BAQUFADCBjDELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWdu LCBJbmMuMTAwLgYDVQQLEydGb3IgVGVzdCBQdXJwb3NlcyBPbmx5LiAgTm8gYXNz dXJhbmNlcy4xMjAwBgNVBAMTKVZlcmlTaWduIFRyaWFsIFNlY3VyZSBTZXJ2ZXIg Um9vdCBDQSAtIEcyMB4XDTA5MDQwMTAwMDAwMFoXDTE5MDMzMTIzNTk1OVowgcsx CzAJBgNVBAYTAlVTMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEwMC4​​GA1UECxMn Rm9yIFRlc3QgUHVycG9zZXMgT25seS4gIE5vIGFzc3VyYW5jZXMuMUIwQAYDVQQL EzlUZXJtcyBvZiB1c2UgYXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL2Nwcy90 ZXN0Y2EgKGMpMDkxLTArBgNVBAMTJFZlcmlTaWduIFRyaWFsIFNlY3VyZSBTZXJ2 ZXIgQ0EgLSBHMjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANsTzSdP SAMzV5hTV6ImkhXRbCA760I/Fx2ZAY1ZWG+IpM47+QX5TcLW0VoOyXwJtSGOj+Zn Kr9KMmAlb/jcjM9WHzgitJzpSVKylU4dOSH2o9UjAPuq0bZA6xfNV4mzr4rggtE5 lGIyQ32AbKjqOjgEKvSVZ/061J7EDz7wRWgHY24xRUQrh4C+2y1boQfAq+s1cp4Y VDxYInIl5aNNxThQvJY7ibkJ6jEH+sNuEdEIK5g6YzwjVPbFAYu00LYusq/WgR18 misNumlMfV+tb1hwM70KMMWArVBtFkbkpLIwNpvrhLR/wY8l6tPBHkFQ4Rnwy0nB vzogCNwmWU2f6QUCAwEAAaOCAZcwggGTMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEF BQcwAYYYaHR0cDovL29jc3AudmVyaXNpZ24uY29tMBIGA1UdEwEB/wQIMAYBAf8CAQAwSwYDVR0gBEQwQjBABgpghkgBhvhFAQcVMDIwMAYIKwYBBQUHAgEWJGh0dHBz Oi8vd3d3LnZlcmlzaWduLmNvbS9jcHMvdGVzdGNhLzA7BgNVHR8ENDAyMDCgLqAs hipodHRwOi8vY3JsLnZlcmlzaWduLmNvbS9TVlJUcmlhbFJvb3RHMi5jcmwwDgYD VR0PAQH/BA​​QDAgEGMG0GCCsGAQUFBwEMBGEwX6FdoFswWTBXMFUWCWltYWdlL2dp ZjAhMB8wBwYFKw4DAhoEFI/l0xqGrI2Oa8PPgGrUSBgsexkuMCUWI2h0dHA6Ly9s b2dvLnZlcmlzaWduLmNvbS92c2xvZ28uZ2lmMB0GA1UdDgQWBBQoFxOKvdaitdwG LLe2jtoQZmBu5TAfBgNVHSMEGDAWgBRIGeeSb5KdNGOZwPCZyNaljIx/ZTANBgkq hkiG9w0BAQUFAAOCAQEANgvA9cj2h5yFC2SJMmE8a9trUmjnorZWO/Ifmdf5ADuQ uf+k8arodHpdSeq/f2GjwDIo3oYL2bT/66tw46Kx3Q/Z02pp7YW+BRvKejBYXN9F JxsXEkPKpz4SRvSQLl5YBst7q03nK0lZQ4/LE+hufgvx08JdqGd4o4cOvZ6o4MQa MgX/0lwNjC+4PWuKfmrKmr+RhpSkc72cEEO9//XsYesTMetY3nOuqXAQqiH4lz3K AzqNgohXXcF8W1F3ytTTq1yWbMkJonRpXbE3U0rWI33ywiS7LAk8n4dR8tNoqqIr P6sDtvolx9/+qTPWGnYytV0P/hcJt5CbqE7008EnPQAAMQAAAAAAAAA= -----结束证书-----

  • 接下来,我将代码复制到记事本并另存为公共.pem文件
  • 然后我使用 openssl 命令来检查它是否是 PEM 格式

openssl x509-通知 PEM-in公共.pem

我得到了错误

无法加载证书 1952:错误:0D0680A8:asn1 编码例程:ASN1_CHECK_TLEN:错误标签:.\crypto\as n1\tasn_dec.c:1319: 1952:错误:0D07803A:asn1 编码例程:ASN1_ITEM_EX_D2I:嵌套的 asn1 错误:.\ crypto\asn1\tasn_dec.c:381:Type=X509_CINF 1952:错误:0D08303A:asn1 编码例程:ASN1_TEMPLATE_NOEXP_D2I:嵌套的 asn1 e 错误:.\crypto\asn1\tasn_dec.c:751:Field=cert_info,Type=X509 1952:错误:0906700D:PEM例程:PEM_ASN1_read_bio:ASN1 lib:\crypto\pem\pem_oth.c:83:

--> 这不是 PEM 格式,我这里犯了一个错误,请帮忙吗?

答案1

该文件(更新 1)是 PEM 格式的 - 假设破折号-BEGIN-CERTIFICATE-dashes 和破折号-END-CERTIFICATE-dashes 实际上是在不同的行上,从粘贴格式中看不清楚 - 但事实并非如此证书采用 PEM 格式。PEM 格式用于多种不同类型的对象。这是一个带有空数据和两个证书的 PKCS7/CMS 签名数据:一个用于 Epinion dichcum.ga 的 EE 证书和一个用于 Verisign Trial Secure Server CA G2 的 CA(链)证书。这种格式(带有空数据和证书的 PKCS7 签名数据)是分发相关证书的常用方法,通常称为“p7b”或“p7c”。

CERTIFICATE将BEGIN 和 END 行中的单词更改为PKCS7.Run openssl pkcs7 -print_certs <public.pem >tempfile。输出文件tempfile将包含每个文本块由一个 BEGIN 行、几行数据和一个 END 行组成。使用任何文本编辑器或 sed 等实用程序将这些块放在单独的文件中,比如说mycert.pemchaincert.pem。将第一个文件作为您的证书上传,将第二个文件作为链证书上传,以及您的私钥文件(显然是private.pem)。

相关内容