0

So I was following this guide: https://docs.splunk.com/Documentation/Splunk/7.1.2/Security/Howtogetthird-partycertificates

Everything was fine up until I get the new certificate back from the CA. What I have is a .crt file from them that starts with:

Certificate:
Data:
Version: 3 (0x2)
Serial Number: 51698 (0xc9f2)
Signature Algorithm: sha256WithRSAEncryption
Issuer: <stuff here>
Validity
Not Before: Aug 29 18:35:08 2018 GMT
Not After : Dec 1 18:35:08 2020 GMT
Subject: <stuff here>
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
<stuff:here>
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: 
CA:FALSE
X509v3 Extended Key Usage: 
TLS Web Server Authentication, TLS Web Client Authentication, E-mail Protection, Time Stamping, Microsoft Individual Code Signing, Microsoft Commercial Code Signing, Microsoft Trust List Signing, Microsoft Encrypted File System
X509v3 Key Usage: 
Digital Signature, Non Repudiation, Key Encipherment
X509v3 Subject Alternative Name: 
DNS:<<stuff.com>
Signature Algorithm: sha256WithRSAEncryption
<stuff:here>

According to the splunk site this should be in PEM format as when I run their ssl command to verify I get this error:

# /opt/splunk/bin/splunk cmd openssl x509 -in SignedCert.crt -text
unable to load certificate
139880334464688:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:707:Expecting: TRUSTED CERTIFICATE

Same thing happens even if I rename the crt file to pem.

Where am I going wrong?

Patrick Mevzek
  • 10,995
  • 16
  • 38
  • 54
Tony
  • 8,681
  • 7
  • 36
  • 55
  • 1
    If it is exactly like this in the file, this is not a PEM encoded certificate. It should instead start with "-----BEGIN CERTIFICATE-----" and then only "gibberish". What you show seems to be the textual representation of a certificate, which is of no use to programs. This is even what the error message tells you (except that you will need to have the first line being `-----BEGIN TRUSTED CERTIFICATE-----`) – Patrick Mevzek Aug 29 '18 at 20:18
  • 1
    Also: contrary to what seems popular belief, the naming of the file, including its extension has 0 consequences on how it will be interpredted. You could name it `foobar.42` as well and the results will be the same: it will work, or not, but solely based on its content. – Patrick Mevzek Aug 29 '18 at 20:19
  • This is not correct X.509 certificate. It is just text dump, not binary copy. – Crypt32 Aug 29 '18 at 20:25

1 Answers1

0

You are not doing anything wrong per se, you need to get from the CA your certificate in the "PEM" format which should look like this:

-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

You can name it whatever you wish, this has no consequences. But the content should be like that. I would advise agains SignedCert.crt because semantically it is redundant, a certificate is a publish key, with metadata and signature. So it is always signed. You should name it after something related to the service/website that will use it.

When you have it in that format, you can yourself do openssl x509 -text -in + the filename, and if everything goes well it will indeed produce the textual output you have at the beginning of the question. But converting that textual output back to PEM is not possible in practice.

Patrick Mevzek
  • 10,995
  • 16
  • 38
  • 54