使用 Godaddy 颁发的证书时“公钥证书与私钥不匹配”

我正在尝试将 GoDaddy SSL 证书安装到我在 Amazon AWS 上设置的一个新的负载均衡器上。我最初在 Godaddy 使用 keytool 程序创建证书,以便在 Glassfish 3.1服务器(Amazon linux ami)上直接安装。直接在服务器上进行设置没有任何问题。现在我需要将证书从 Web 服务器移动到新的负载平衡器。Amazon 要求私钥和证书采用 PEM 格式,所以我使用 GoDaddy 的“ rekey”工具创建新的证书。当我在 AWS Mgmt Console 上的负载平衡器设置屏幕上加载这些内容时,会得到错误消息: “公钥证书和私钥不匹配。”

下面是我如何创建键:

$ openssl genrsa -des3 -out private.key 2048
$ openssl req -new -key private.key -out apps.mydomain.com.csr

然后,我提交。在“ rekey”过程中将 csr 文件传送到 GoDaddy。Rekey 完成后,我下载了2个新创建的 certs (apps.mydomain.com.crt & gd _ bundle)。对照组)。我选择(Apache)作为服务器类型下载它们(我也试过“ other”和“ Cpanel”,但看起来都是一样的)。

此时,我使用以下命令从 Private.key 文件中删除加密:

$ openssl rsa -in private.key -out private.pem

此时,我回到 AWS Mgmt 控制台,创建负载均衡器,添加安全服务器重定向,并将以下文件的内容放在屏幕上要求设置 ssl 证书的各个字段中:

private.pem --> Private Key
apps.mydomain.com.crt --> Public Key Certificate
gd_bundle.crt --> Certificate Chain

当我点击“继续按钮”,我得到错误“错误: 公钥证书和私钥不匹配。”

有没有什么方法可以测试我是否收到了来自 Amazon 的有效错误消息?当我非常严格地按照 GoDaddy 的指示时,钥匙却不匹配,这对我来说似乎很奇怪。

在创建。之前,我尝试过在不使用 RSA 加密的情况下创建 private ate.key 文件。CSR 和它似乎没有什么区别。

我还假设。我从 GoDaddy 下载的 CRT 文件在里面。PEM 格式,但我不知道如何验证这一点。

有什么想法吗?

95814 次浏览
小开
最佳答案

Looks like the issue was the way in which I was copying the contents of the key and certs into the AWS Management console. I was using an Ubuntu desktop running in Virtual Box on a Windows 7 desktop; copy and pasting the values from a gedit screen into the browser running on the Windows box. Once I opened the key and cert files on the same box as the web browser (Windows in this case) the certs went through just fine. I'm guessing some parts of the file aren't making it over correctly when using the shared clip board between Virtual Box client and host. Case closed.

小开

Just for the record and anyone else who is trying to figure it out:

yourdomain.key -> terminal command: sudo openssl rsa -in yourdomain.key -outform PEM -out yourdomain.pem -> private key

yourdomain.crt -> public key

gd_bundle.crt -> certificate chain

and you're good to go :)

小开

We found an alternate solution to this problem. We were having the same symptoms with the same error.

Then we tried reentering the pem codes one more time, but this time we made sure to hit enter one time and make sure the cursor was on a blank line at the end of each window. Then we saved it. IT WORKED.

This solved our problem, so it might solve it for others.

小开

One little gotcha. I'm using a Windows box (Win 7 Pro) and when I used the windows port of OpenSSL, the outputted files had Unix style end-of-line characters (LF).

I had to convert the file to Windows style (CRLF) for the uploading of the private key.

小开

For me, it was an easy two-step:

  1. Convert the private key to PEM:

    openssl rsa -in yourdomain.key -outform PEM

  2. Convert the certificate and certificate bundle to PEM:

    openssl x509 -inform PEM -in yourdomain.crt

    openssl x509 -inform PEM -in bundle.crt

小开

I can suggest you with an alternative solution and an information to you folks. Generally all certificates are of PEM file format. You can just open a notepad or any text editor and drag the files which you received in .crt file format. Which is normally called as .PEM file.If the certificate loaded in your keytool you can export the certificate as a pfx file from keytool. Then you can separate the pfx file from the private key from the pfx file. Because the pfx file is the combination of your certificate and the private key.So you can get separately the private key file and use it on your amazon aws.

I suspect there may be another way to install the certificate. May be you can contact the certificate authority and is there any way to get your certificate to be reissued.


提交答案