问题描述
我用来通过托管身份在docker容器中获取证书,如此处Microsoft文档所述(示例1):https://docs.microsoft.com/en-us/azure/container-instances/container-instances-managed-identity#example-1-use-a-user-assigned-identity-to-access-azure-key-vault
当它是pem格式的证书时,命令的输出:
curl https://mykeyvault.vault.azure.net/secrets/SampleSecret/?api-version=2016-10-01 -H "Authorization: Bearer $token"
就像:
{“值”:” ----- BEGIN PRIVATE KEY ----- \ nMIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDBkelEEzvwXiaW \ nX4sPt052w / 5tahn6OAy + lasH4Lq1xvU / G + z9Ra0rBs2NGhPr7smu8iAv 许多符号} KkrjDMmf5Om \ n -----结束私钥----- \ n ----- BEGIN 证书----- \ nMIIDMDCCAhigAw {太多符号} 4GMgUQ == \ n ----- END CERTIFICATE ----- \ n“,” contentType“:”应用程序/ x-pem-file“,” id“:” myid“,” managed“:true,” attributes“:{” enabled“:true,” nbf“:1600276258,” exp“:1631812858,” created“:1600276858,” updated“:1600276858,” recoveryLevel“:” Recoverable + Purgeable“},” kid“:” https:// cert_url“}
将其解析为cert.pem和private_key.pem文件很容易。
但是如果是pcks12格式,则输出就像一个字符串:
{“值”:“ MIIKPAIBAzCCCfwGCSqGSIb3DQEHAaCCCe0EggnpMIIJ5TCCBhYGCSqGSIb3DQEHA {仅 许多 符号} 8O3VaP5TOUaZMQ =“,” contentType“:” application / x-pkcs12“,” id“:” myid“,” managed“:true,” attributes“:{” enabled“:true,” nbf“:1600275456,” exp“:1631812056,” created“:1600276056,” updated“:1600276056,” recoveryLevel“:” Recoverable + Purgeable“},” kid“:” https:// cert_url“}
所以我不能像上面解释的那样将该字符串转换为cert.pem和private_key.pem文件。
我通过以下方式输入文件cert.cer值:
curl https://testigorcert.vault.azure.net/secrets/SampleSecret/?api-version=2016-10-01 -H "Authorization: Bearer $token" | jq '.value' > cert.cer
并尝试了以下命令:
openssl pkcs12 -in cert.cer -out cert.pem -nodes
错误:
139876006393152:错误:0D0680A8:asn1编码 例程:asn1_check_tlen:错误标签:../ crypto / asn1 / tasn_dec.c:1130: 139876006393152:错误:0D07803A:asn1编码 例程:asn1_item_embed_d2i:嵌套的asn1 错误:../ crypto / asn1 / tasn_dec.c:290:Type = PKCS12
尝试:
openssl pkcs12 -in cert.cer -nocerts -nodes -out key.pem
错误:
140021099644224:错误:0D0680A8:ASN1编码 例程:asn1_check_tlen:错误标签:../ crypto / asn1 / tasn_dec.c:1130: 140021099644224:错误:0D07803A:asn1编码 例程:asn1_item_embed_d2i:嵌套的asn1 错误:../ crypto / asn1 / tasn_dec.c:290:Type = PKCS12
尝试:
openssl x509 -in cert.cer -text
错误:
139665046693184:错误:0909006C:PEM例程:获取名称:无法启动 行:../ crypto / pem / pem_lib.c:745:期望:受信任的证书
所以。如何将pkcs12证书格式的值转换为两个文件cert.pem和private_key.pem?
解决方法
问题在于对下载的字符串进行编码,因为curl获得了一个.pfx字符串,但以ascii编码进行了编码(应该在base64中)。因此,我只是使用另一种方式(示例2): https://docs.microsoft.com/en-us/azure/container-instances/container-instances-managed-identity#example-2-use-a-system-assigned-identity-to-access-azure-key-vault
我刚刚通过命令下载证书.pfx的地方:
az keyvault secret download --file cert.pfx --name {cert_name} --vault-name {vault_name} -e base64
然后通过以下方式转换为两个所需的文件:
openssl pkcs12 -in cert.pfx -nocerts -out key.rsa -nodes -passin pass:
openssl pkcs12 -in cert.pfx -clcerts -nokeys -out cert.crt -passin pass:
通过适当的命令将证书转换为64位格式的另一个(最佳)选项:
token=$(curl 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fvault.azure.net' -H Metadata:true | jq -r '.access_token')
curl https://myvault.vault.azure.net/secrets/mycert/?api-version=2016-10-01 -H "Authorization: Bearer $token" |
jq -r ".value" | base64 -d | openssl pkcs12 -nocerts -out /etc/ssl/private-key.pem -nodes -passin pass:
curl https://myvault.vault.azure.net/secrets/mycert/?api-version=2016-10-01 -H "Authorization: Bearer $token" |
jq -r ".value" | base64 -d | openssl pkcs12 -clcerts -nokeys -out /etc/ssl/cert.pem -passin pass:
设置时间 控制面板
错误1:Request method ‘DELETE‘ not supported 错误还原:...