Any way to validate a .pem file?

JockVSJock · 09-30-2021, 11:43 AM

Is there a way to validate a .pem file that was created in a container? This is on RHEL8 (not an container). The container is Nexus.

When trying to validate with openssl command, get the following error:

Code:

[user_a@host_a host_a-nexus.enclave.pem]$ openssl verify host_a-nexus.enclave.pem 
unable to load certificate
139658552366912:error:0909006C:PEM routines:get_name:no start line:crypto/pem/pem_lib.c:745:Expecting: TRUSTED CERTIFICATE

smallpond · 09-30-2021, 12:13 PM

Pems are used for different functions. The first line of the pem should give the purpose, for example: -----BEGIN CERTIFICATE----- for a cert file. What you get determines how to validate it.

For this cert file, I can unpack it with:

Code:

openssl x509 -in foo.pem -noout -text

sundialsvcs · 09-30-2021, 05:20 PM

Once you have successfully decompressed a certificate file into text, as smallpond has demonstrated, you should be able to examine it. What bothers me about your original post is that the software seems to be saying that it cannot find a line of text in the text-version content. Can you perhaps post the actual content, of course cutting-out the Base64 lines of (irrelevant to us) crypto material?

JockVSJock · 10-01-2021, 07:23 AM

Quote:

Originally Posted by smallpond

Pems are used for different functions. The first line of the pem should give the purpose, for example: -----BEGIN CERTIFICATE----- for a cert file. What you get determines how to validate it.

For this cert file, I can unpack it with:

Code:

openssl x509 -in foo.pem -noout -text

Code:

[user_a@host_a nexus_certs_creation]$ openssl x509 -in host_a.enclave.pem -noout -text
unable to load certificate
140290648704832:error:0909006C:PEM routines:get_name:no start line:crypto/pem/pem_lib.c:745:Expecting: TRUSTED CERTIFICATE

Odd...same error as before with openssl verify command. Is it something in the way I'm generating the cert? There is a "-" character in the alias and file name. Would this make a difference?

JockVSJock · 10-01-2021, 07:25 AM

Quote:

Originally Posted by sundialsvcs

Can you perhaps post the actual content, of course cutting-out the Base64 lines of (irrelevant to us) crypto material?

I'm no keytool/keystore expert.

Are you referring to the commands that I'm using to generate the .pem file?

smallpond · 10-01-2021, 07:51 AM

In a bash shell, I can examine the pem file like this:

Code:

more /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
# ACCVRAIZ1
-----BEGIN CERTIFICATE-----
MIIH0zCCBbugAwIBAgIIXsO3pkN/pOAwDQYJKoZIhvcNAQEFBQAwQjESMBAGA1UE
AwwJQUNDVlJBSVoxMRAwDgYDVQQLDAdQS0lBQ0NWMQ0wCwYDVQQKDARBQ0NWMQsw

It shows the top line is an optional comment, the second line is the PEM purpose (CERTIFICATE), and the rest is the binary data encoded as text. Can you show the same for your file? You can leave out the binary data.

JockVSJock · 10-04-2021, 01:36 PM

So I don't have anything above BEGIN NEW CERTIFICATE REQUEST:

Code:

-----BEGIN NEW CERTIFICATE REQUEST-----
***** Binary content here *****
-----END NEW CERTIFICATE REQUEST-----

Is that bad or a problem with the .pem when generating it?