Gerei um certificado CA usando o easyRSA e pretendo usar com o FreeRadius para usar starttls, agora descobri que o FreeRadius usa o formato pem para certificados, mas no meu caso o certificado está no formato binário, por isso tentei usar os seguintes comandos para converter meu certificado do formato crt para pem :
root@s1:/etc/freeradius/certs/easy-rsa/keys# openssl x509 -inform DER -in server.crt -out server.pem -text
unable to load certificate
3074016960:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1197:
3074016960:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:374:Type=X509
O segundo:
root@s1:/etc/freeradius/certs/easy-rsa/keys# openssl x509 -in server.crt -inform DER -out server.pem -outform PEM
unable to load certificate
3073529536:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1197:
3073529536:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:374:Type=X509
Mas, como visto, recebo sempre um erro e não sei por quê.
E aqui está o meu arquivo server.crt:
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=AT, ST=ST, L=Graz, O=Noureldin, OU=IT, CN=noureldin.local/name=Noureldin-CA/[email protected]
Validity
Not Before: Jun 25 13:07:51 2016 GMT
Not After : Jun 23 13:07:51 2026 GMT
Subject: C=AT, ST=ST, L=Graz, O=Noureldin, OU=IT, CN=OpenVPN-Server/name=OpenVPN-Server/[email protected]
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:b6:c6:ec:91:f5:c8:23:8f:62:d4:14:18:04:fe:
b4:fd:5e:9b:47:11:07:52:45:fb:b9:8e:2f:55:c0:
f6:59:53:33:a1:56:4d:5d:61:c4:eb:b6:a6:67:9d:
e1:fd:68:b6:32:a8:d4:41:32:40:a3:16:59:8d:a3:
7f:63:b6:f4:bd:9d:5f:80:ba:ef:d4:94:c8:56:d0:
bc:2c:9c:03:cb:4c:b9:04:7e:d5:52:01:be:7b:c1:
d9:fb:80:3c:29:82:ff:52:89:47:2c:4a:e7:5d:6f:
3c:96:21:5c:bb:81:08:a3:27:34:11:f2:cb:c1:a2:
e5:00:e9:fb:97:d4:7e:df:76:17:02:5a:60:cc:80:
0d:de:2c:02:3a:16:a9:20:f4:8e:cc:96:23:83:81:
48:6b:5d:9e:be:49:20:d3:d8:05:63:cc:6a:ef:b2:
08:a3:0d:c7:06:23:7d:62:e7:ff:9d:b4:96:34:28:
b0:29:05:fa:4f:6b:1a:3f:df:5b:24:f3:26:4e:32:
33:8d:1a:72:25:00:36:d0:72:9e:5e:be:83:8c:d8:
46:22:e9:3b:04:58:03:a8:13:24:cd:45:76:58:de:
30:0d:36:ca:49:68:4b:c2:fc:c0:1e:e9:01:30:57:
6f:be:ef:9b:ed:77:e6:cc:17:1c:a5:9d:04:eb:2a:
69:ad
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
SSL Server
Netscape Comment:
Easy-RSA Generated Server Certificate
X509v3 Subject Key Identifier:
7A:7C:1E:7D:E7:CA:91:20:F5:FC:E2:45:65:F9:67:D3:ED:E7:F9:87
X509v3 Authority Key Identifier:
keyid:AA:6F:06:92:CC:92:F9:09:B4:F9:32:05:9F:45:20:7D:3A:22:53:3B
DirName:/C=AT/ST=ST/L=Graz/O=Noureldin/OU=IT/CN=noureldin.local/name=Noureldin-CA/[email protected]
serial:D2:5D:DB:1E:5B:AA:CC:BE
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 Key Usage:
Digital Signature, Key Encipherment
X509v3 Subject Alternative Name:
DNS:server
Signature Algorithm: sha256WithRSAEncryption
32:16:8a:b9:30:4a:23:85:65:01:e4:1f:89:3d:14:f8:55:fb:
90:a2:98:29:aa:83:e4:c1:d2:95:31:62:a9:61:2a:8a:bf:eb:
18:8a:e0:3d:42:7e:35:2c:b9:11:eb:1c:f8:63:a1:e8:75:61:
6c:40:76:4f:ae:21:c3:a8:c7:d2:70:c8:96:6b:cd:6a:89:d9:
9e:34:d0:06:4c:10:c6:7b:bb:af:fa:bb:ea:14:82:21:f7:78:
99:2f:88:c8:d0:1c:e6:1f:db:d5:00:d6:30:d1:54:72:db:c0:
fa:4e:cf:ea:66:42:f2:c6:d3:ae:b5:c1:59:4c:ca:84:fc:80:
28:63:5d:d7:5b:9d:22:98:d2:9b:10:5d:4d:99:d2:ee:9c:a2:
13:75:fc:dc:95:9d:27:cc:df:f2:bd:89:5f:b4:43:f7:a8:f5:
84:4c:bb:54:0d:ca:00:6e:cb:e1:21:a0:34:6d:7f:18:27:3c:
0d:cf:b4:6a:c1:f0:ab:ed:63:df:d3:b5:cc:dd:d7:da:67:97:
6f:53:10:22:43:c6:dc:5b:06:0e:88:44:24:03:d2:9a:8d:07:
57:b0:19:cd:ce:6e:be:ef:bc:c2:69:8b:13:b6:7c:b5:c2:0c:
a9:2a:08:e1:45:0d:42:37:c2:1f:e5:2b:d6:f0:26:72:f5:c0:
43:83:f0:78
-----BEGIN CERTIFICATE-----
MIIFTTCCBDWgAwIBAgIBATANBgkqhkiG9w0BAQsFADCBozELMAkGA1UEBhMCQVQx
CzAJBgNVBAgTAlNUMQ0wCwYDVQQHEwRHcmF6MRIwEAYDVQQKEwlOb3VyZWxkaW4x
CzAJBgNVBAsTAklUMRgwFgYDVQQDEw9ub3VyZWxkaW4ubG9jYWwxFTATBgNVBCkT
DE5vdXJlbGRpbi1DQTEmMCQGCSqGSIb3DQEJARYXbS5pLm5vdXJlbGRpbkBnbWFp
bC5jb20wHhcNMTYwNjI1MTMwNzUxWhcNMjYwNjIzMTMwNzUxWjCBpDELMAkGA1UE
BhMCQVQxCzAJBgNVBAgTAlNUMQ0wCwYDVQQHEwRHcmF6MRIwEAYDVQQKEwlOb3Vy
ZWxkaW4xCzAJBgNVBAsTAklUMRcwFQYDVQQDEw5PcGVuVlBOLVNlcnZlcjEXMBUG
A1UEKRMOT3BlblZQTi1TZXJ2ZXIxJjAkBgkqhkiG9w0BCQEWF20uaS5ub3VyZWxk
aW5AZ21haWwuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtsbs
kfXII49i1BQYBP60/V6bRxEHUkX7uY4vVcD2WVMzoVZNXWHE67amZ53h/Wi2MqjU
QTJAoxZZjaN/Y7b0vZ1fgLrv1JTIVtC8LJwDy0y5BH7VUgG+e8HZ+4A8KYL/UolH
LErnXW88liFcu4EIoyc0EfLLwaLlAOn7l9R+33YXAlpgzIAN3iwCOhapIPSOzJYj
g4FIa12evkkg09gFY8xq77IIow3HBiN9Yuf/nbSWNCiwKQX6T2saP99bJPMmTjIz
jRpyJQA20HKeXr6DjNhGIuk7BFgDqBMkzUV2WN4wDTbKSWhLwvzAHukBMFdvvu+b
7XfmzBccpZ0E6ypprQIDAQABo4IBhzCCAYMwCQYDVR0TBAIwADARBglghkgBhvhC
AQEEBAMCBkAwNAYJYIZIAYb4QgENBCcWJUVhc3ktUlNBIEdlbmVyYXRlZCBTZXJ2
ZXIgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFHp8Hn3nypEg9fziRWX5Z9Pt5/mHMIHY
BgNVHSMEgdAwgc2AFKpvBpLMkvkJtPkyBZ9FIH06IlM7oYGppIGmMIGjMQswCQYD
VQQGEwJBVDELMAkGA1UECBMCU1QxDTALBgNVBAcTBEdyYXoxEjAQBgNVBAoTCU5v
dXJlbGRpbjELMAkGA1UECxMCSVQxGDAWBgNVBAMTD25vdXJlbGRpbi5sb2NhbDEV
MBMGA1UEKRMMTm91cmVsZGluLUNBMSYwJAYJKoZIhvcNAQkBFhdtLmkubm91cmVs
ZGluQGdtYWlsLmNvbYIJANJd2x5bqsy+MBMGA1UdJQQMMAoGCCsGAQUFBwMBMAsG
A1UdDwQEAwIFoDARBgNVHREECjAIggZzZXJ2ZXIwDQYJKoZIhvcNAQELBQADggEB
ADIWirkwSiOFZQHkH4k9FPhV+5CimCmqg+TB0pUxYqlhKoq/6xiK4D1CfjUsuRHr
HPhjoeh1YWxAdk+uIcOox9JwyJZrzWqJ2Z400AZMEMZ7u6/6u+oUgiH3eJkviMjQ
HOYf29UA1jDRVHLbwPpOz+pmQvLG0661wVlMyoT8gChjXddbnSKY0psQXU2Z0u6c
ohN1/NyVnSfM3/K9iV+0Q/eo9YRMu1QNygBuy+EhoDRtfxgnPA3PtGrB8KvtY9/T
tczd19pnl29TECJDxtxbBg6IRCQD0pqNB1ewGc3Obr7vvMJpixO2fLXCDKkqCOFF
DUI3wh/lK9bwJnL1wEOD8Hg=
-----END CERTIFICATE-----
Vejo que aqui no botão há um formato pem, isso significa que meu arquivo crt tem formato crt e pem? então, nesse caso, posso apenas excluir uma das partes e poderei convertê-la normalmente? (Eu sei que não faz sentido excluir uma parte apenas para convertê-la), porque estou recebendo um erro na inicialização do tls e não tenho certeza se o problema vem do formato do certificado ou de outra coisa.
Alguém poderia me ajudar a resolver isso?
Seu certificado já é um certificado PEM. Se não for aceito, faça uma cópia, remova os detalhes do certificado acima
-----BEGIN CERTIFICATE-----
e tente novamente.