Hi Jeff,
Please find the certificates attached.
openssl x509 -in DTCD9C3B2F42757.ent.wfb.bank.corp_mongo_wells.pembackup
-inform PEM -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1085434364 (0x40b269fc)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, O=Wells Fargo, OU=Wells Fargo Certification Authority,
CN=Wells Fargo Root Certificate Authority
Validity
Not Before: May 28 18:17:26 2009 GMT
Not After : May 28 18:17:26 2019 GMT
Subject: C=US, O=Wells Fargo, OU=Wells Fargo Certificate Authorities,
CN=Wells Fargo Enterprise CA 02
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:9b:59:84:56:05:e5:1c:76:dd:e0:3a:ca:14:84:
4e:4d:fe:90:e4:9c:33:24:4b:63:16:25:8d:e2:54:
2c:12:f2:9e:54:dd:69:ef:fb:9a:d7:a7:34:80:58:
62:cd:0b:ee:0f:4d:36:a6:db:54:1b:b4:e7:ea:e5:
28:9d:46:31:25:a8:c3:d9:39:f2:90:04:2e:d6:6e:
4a:b3:58:22:b0:d8:18:08:6c:c7:f2:d9:6e:29:e5:
98:00:da:69:49:1b:79:17:52:2c:dd:8b:6c:34:e1:
a2:62:d5:45:9d:97:f7:15:e8:ce:cd:55:a4:86:74:
f9:ad:85:e3:4d:ff:4e:b2:ee:4a:2b:52:61:ec:dc:
b0:6c:55:39:3f:6c:ad:0b:88:7f:33:dc:67:94:7b:
82:8f:2e:d1:06:63:7d:e7:a8:86:ec:46:fe:04:1a:
ef:a3:b6:5f:4d:fc:d6:b8:5c:e6:bd:f8:9c:2a:8b:
e8:0d:b6:4e:96:82:c7:1e:c4:73:8f:68:90:d9:eb:
98:fb:15:bf:83:e6:67:d6:51:cf:40:26:5f:4d:d2:
e0:3d:47:27:57:ba:a9:3f:ed:5f:45:5c:b9:84:d2:
d0:4f:0d:e7:06:b3:5a:e5:12:c8:64:af:11:06:96:
3a:92:28:38:c1:68:72:34:a3:fe:f5:2b:1c:da:6d:
f8:95
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Certificate Policies:
Policy: 2.16.840.1.114171.500.0.0
CPS: http://www.wellsfargo.com/cps/
Policy: 2.16.840.1.114171.500.0.1
CPS: http://www.wellsfargo.com/cps/
Authority Information Access:
OCSP - URI:http://ocsp-root.pki.wellsfargo.com/
CA Issuers - URI:http://crl.pki.wellsfargo.com/wf_root.crt
X509v3 Key Usage: critical
Digital Signature, Non Repudiation, Key Encipherment, Data
Encipherment, Certificate Sign, CRL Sign
X509v3 Authority Key Identifier:
keyid:14:AF:18:F7:BD:E6:E7:6B:E3:5A:FA:EA:51:EF:FE:D4:5A:71:39:C0
DirName:/C=US/O=Wells Fargo/OU=Wells Fargo Certification
Authority/CN=Wells Fargo Root Certificate Authority
serial:39:E4:97:9E
X509v3 CRL Distribution Points:
Full Name:
URI:http://crl.pki.wellsfargo.com/root.crl
X509v3 Subject Key Identifier:
C4:AB:45:B6:3A:0B:01:1C:62:5C:CA:3F:C7:E3:CD:2F:30:C4:57:D7
Signature Algorithm: sha1WithRSAEncryption
2d:42:30:eb:21:4d:8f:b9:ab:4d:22:2e:aa:d4:fa:ae:c0:17:
80:a0:29:ca:52:37:1e:d7:a9:6d:66:ba:ab:11:26:98:30:e3:
08:06:8e:c5:76:4a:4a:14:f1:05:06:ba:a9:2a:58:16:0d:0a:
17:1a:8a:b0:d8:a8:b7:c0:80:10:cc:57:71:aa:6b:e4:e2:f0:
ca:d4:c5:be:70:d2:45:af:47:fa:69:4b:4f:a8:e9:66:2f:02:
dd:f6:ea:12:f6:d5:7a:1e:cd:8d:3e:28:8f:c7:cd:6e:c7:f5:
dd:48:0d:d3:1c:65:82:27:b3:e3:b9:68:71:65:40:0d:d6:0f:
fd:1b:9c:1b:7d:68:fb:c3:aa:25:a6:7f:f8:05:ac:73:e0:7a:
2e:84:3d:8d:a6:25:61:a8:97:5c:44:50:a2:92:d2:f1:dc:53:
78:6a:7c:a6:f9:9d:60:ae:20:84:71:bf:03:02:d6:d1:f1:1c:
6a:a4:0e:aa:b0:5c:7f:c0:3e:df:f4:50:60:47:49:eb:6b:d9:
f1:0f:53:e8:7c:1b:74:fa:f4:cd:3a:2a:79:53:39:8b:e0:e0:
2e:3c:b6:7e:ad:5e:12:9e:9a:e4:89:f4:37:bf:2d:92:01:2b:
f0:d3:e5:a4:f8:1b:f7:70:ba:4f:c9:0d:62:2a:10:63:6d:1d:
36:49:6a:2d
This is the C++ MongoDB API I am using to connect to the database:
#include "mongo/util/net/ssl_options.h"
#include "mongo/client/init.h"
int main() {
sslGlobalParams.sslMode.store(SSLGlobalParams::SSLMode_requireSSL);
// only really need a PEM on the server side
mongo::sslGlobalParams.sslPEMKeyFile = "<path/to/keyfile.pem>";
mongo::Status status = mongo::client::initialize();
if (!status.isOK())
::abort();
DBClientConnection c;
c.connect("hostname.whatever.com"); // outgoing connections are SSL
}
My question to MongoDB support was: From the code above, the comment states
that there is only a need of a PEM on the server side. What identifies the "key
store" on the C++ client server? Is as key store not required on the
C++ linux server where my application is running?
MongoDB support response was: That is correct. For encrypted communications
only the MongoDB server needs a PEM file.
I am just not sure what I am supposed to be providing as far as the
sslPEMKeyFile. I have these certificates:
For MongoDB files are in PEM format:
· DTCD9C3B2F42757.ent.wfb.bank.corp_mongo_server.pem
· private key of DTCD9C3B2F42757.ent.wfb.bank.corp machine
· certificate for DTCD9C3B2F42757.ent.wfb.bank.corp, signed by WF
Enterprise CA 02
· DTCD9C3B2F42757.ent.wfb.bank.corp_mongo_wells.pem
· WF Enterprise CA 02 certificate, signed by WF Root
· WF Root certificate
I get these errors trying when trying to use each cert separately:
· 2014-09-03T13:46:42.186-0500 ERROR: cannot read PEM key file:
/users/apps/tstlrn/u019807/DTCD9C3B2F42757.ent.wfb.bank.corp_mongo_server.pem
error:0906406D:PEM routines:PEM_def_callback:problems getting password
· 2014-09-03T13:37:56.881-0500 ERROR: cannot read PEM key file:
/users/apps/tstlrn/u019807/DTCD9C3B2F42757.ent.wfb.bank.corp_mongo_wells.pem
error:0906D06C:PEM routines:PEM_read_bio:no start line
Please me know if you need any additional information.
Thanks for your help,
Liz
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org]
On Behalf Of Jeffrey Walton
Sent: Tuesday, September 09, 2014 5:09 AM
To: OpenSSL Users List
Subject: Re: cannot read PEM key file - no start line
On Sun, Sep 7, 2014 at 10:26 PM, Liz Fall <f...@sbcglobal.net> wrote:
All,
I am getting the following with my client cert when trying to connect to an
SSL-enabled MongoDB:
2014-09-03T13:37:56.881-0500 ERROR: cannot read PEM key file:
/users/apps/tstlrn/u019807/DTCD9C3B2F42757.ent.wfb.bank.corp_mongo_wells.pem
error:0906D06C:PEM routines:PEM_read_bio:no start line
I just tried to duplicate with a key (not a certificate) that uses line breaks
at 76 characters. I don't have a certificate because my routines don't support
certificates. But it should reveal a little about the OpenSSL parser.
Reading the public and private keys were OK when the line size was 76 (see
below). So the OpenSSL parser is lenient during a read. This seems very
reasonable to me.
Reading an encrypted private key resulted in an error "PEM_read_bio:bad end
line:pem_lib.c:802" when the line size was 76 (see below). This kind of
surprised me.
Since you are receiving the "no start line" error (and not another error), I
would suspect you are reading an ASN.1/DER encoded certificate; and not a PEM
encoded certificate. The error occured before anything related to line lengths.
Can you post the X509 certificate for inspection?
Jeff
**********
# Line breaks at 76
$ cat rsa-pub-xxx.pem
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDse17vxd2lkVIxwt1gkipo0EZo3NdDhIvPRowZ
6hfRM1n3+8NlS4Qw76PvM1EMR9FXCFTBtv9zzZ7OkNH84LgG6mbNS28PuWeUFmMZumdLbT4KNu2U
pttFup08OUEIlrmkeP1GqMCfaVcbCfl0tScpCMeEhXUpiIvtzUin2kqGHQIDAQAB
-----END PUBLIC KEY-----
# Line breaks at 76
$ cat rsa-priv-xxx.pem
-----BEGIN RSA PRIVATE KEY-----
MIICXgIBAAKBgQDse17vxd2lkVIxwt1gkipo0EZo3NdDhIvPRowZ6hfRM1n3+8NlS4Qw76PvM1EM
R9FXCFTBtv9zzZ7OkNH84LgG6mbNS28PuWeUFmMZumdLbT4KNu2UpttFup08OUEIlrmkeP1GqMCf
aVcbCfl0tScpCMeEhXUpiIvtzUin2kqGHQIDAQABAoGBAJqxzZW98tMW8BS7K0O7+eActqJsLKjv
MOIDfSyKlM/17pmo6NX/g1bbvHqCMDd/V3K+cWtTAWJIlOT9mU/51Ib3h29xEQQ6Ql/ubMPAmm/t
f7itQMxn5FVY+ZA2/pL/mDzAdMuLeS/1TcHCqjbpAL8VaZjHTqztHBcVcNzbIQ6BAkEA/e7hE6WV
caAoFEVfoZW0AIjwWpziQdI1bhNAi70fxWEU1kSq2ZZZhqxU4G37IKmVfBnx3CSzCgp5daPqUpEO
oQJBAO5oIOgVf3GqL03fA6N3s2gx9L4VzAaZZynDF6yjhCCAXs8uUSEYKL32a17dFq+0SrQUSS2J
Tylsz2cv+Uk6cf0CQQCV5RLb5BypbB78iE8BNTuCLVOkSYON0yZTCe5KDqPYgYwpR3OK6aODSer4
aDObfj+NeEs65jcBsFkuRkol3xbBAkEAiN+rlNNS2fU1N2YEdsNwcy/LLZ7iBh/ohKeHXgx6/RX2
WMhkt7VhHr7tIgeY0MOX6A+Fe+lLU6Mu6DU4z/wIGQJAQfEGaJbtaq8bLu6m2VYPpGig1NyBx9i8
kF/E+JC9ZSYh//5nhp6+lBbxceDcijPqnKGZlMYS51nPLSHQBRqbog==
-----END RSA PRIVATE KEY-----
# Line breaks at 76, password is "test"
$ cat rsa-enc-priv-xxx.pem
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,8878824B00BA92932DC5AA1E4A9F12E0
klcOjPvZmj/19sUcf031oUckm2YUw7nEp6UtSbs41OKd2TyRfveNl4vv3J8AzOh18AqPPSKR3chM
8lSvKIdcksieh8raqr2s5wMd8ds/mDkguoVWGVnN8f+FKoVTny7OMhXAbQhk2ZXwZMEU5Q8M/Jnj
3ZfrbgcLYH50UoPlkgD6Y0krcNB+TDJEMvErn7G6RedrDPOjQ2gFCmRSE6Yuqtcgl5JaVS+1UT8Z
4l+EMuUjQcBiwuSQNxgfwyGQ3g/2maluLJsEKHDQhAKufe2c7lXlK/0MdHY+q4RbNLmGBigHb97U
A5jTZl5+dBrQgtgPx7V13F/7EHT6m2KrYSDvfoPadcT65sT1ukoZF5rvbdRcN1QtVetVrymwM5XU
8CrlSz6tihleipPx27JUA7WQjIQc/Kk7R0e1dNB0oEkgd0i5+20bg+4/Keh0t5fwkXlyrCwjEItT
zoC0Hm2dvXG6BTm1OUyRL94DxStVmqRpwDbthbEUqxYWrxTgWKu+noGYu3xJFI6plKEHTY+YMxjm
azeyV8CE0HGwRXTBHpj47bekt5dpxMxZasgeIJqHrUI3am+CijdJTHQyHU3Zxk7rdiLha1inpN6M
Z+ImQxqzm22e4/KMnTxcZ7L6hNzCKXgAGZ9gdg2uV+fwwyFRwzLDWMbQFeYH10yHB6Ua6Wg2LZdr
+NTuJlrMykVULD382XszNMLFtJGl46lpJ9XKWTTIX4e5Fg5N1WSHS2gD8YLxtRzd9vM9ewsZOMtw
gqw5uK7GSJUo8FHKtYuLGKY0jnVHFm2VnYo+76RXQxmJyo+ANmALJCJENCZDMm0I0pRGgRVV
-----END RSA PRIVATE KEY-----
$ openssl rsa -in rsa-pub-xxx.pem -pubin -text -noout
Public-Key: (1024 bit)
Modulus:
00:ec:7b:5e:ef:c5:dd:a5:91:52:31:c2:dd:60:92:
2a:68:d0:46:68:dc:d7:43:84:8b:cf:46:8c:19:ea:
17:d1:33:59:f7:fb:c3:65:4b:84:30:ef:a3:ef:33:
51:0c:47:d1:57:08:54:c1:b6:ff:73:cd:9e:ce:90:
d1:fc:e0:b8:06:ea:66:cd:4b:6f:0f:b9:67:94:16:
63:19:ba:67:4b:6d:3e:0a:36:ed:94:a6:db:45:ba:
9d:3c:39:41:08:96:b9:a4:78:fd:46:a8:c0:9f:69:
57:1b:09:f9:74:b5:27:29:08:c7:84:85:75:29:88:
8b:ed:cd:48:a7:da:4a:86:1d
Exponent: 65537 (0x10001)
$ openssl rsa -in rsa-priv-xxx.pem -text -noout
Private-Key: (1024 bit)
modulus:
00:ec:7b:5e:ef:c5:dd:a5:91:52:31:c2:dd:60:92:
2a:68:d0:46:68:dc:d7:43:84:8b:cf:46:8c:19:ea:
17:d1:33:59:f7:fb:c3:65:4b:84:30:ef:a3:ef:33:
51:0c:47:d1:57:08:54:c1:b6:ff:73:cd:9e:ce:90:
d1:fc:e0:b8:06:ea:66:cd:4b:6f:0f:b9:67:94:16:
63:19:ba:67:4b:6d:3e:0a:36:ed:94:a6:db:45:ba:
9d:3c:39:41:08:96:b9:a4:78:fd:46:a8:c0:9f:69:
57:1b:09:f9:74:b5:27:29:08:c7:84:85:75:29:88:
8b:ed:cd:48:a7:da:4a:86:1d
publicExponent: 65537 (0x10001)
privateExponent:
00:9a:b1:cd:95:bd:f2:d3:16:f0:14:bb:2b:43:bb:
f9:e0:1c:b6:a2:6c:2c:a8:ef:30:e2:03:7d:2c:8a:
94:cf:f5:ee:99:a8:e8:d5:ff:83:56:db:bc:7a:82:
30:37:7f:57:72:be:71:6b:53:01:62:48:94:e4:fd:
99:4f:f9:d4:86:f7:87:6f:71:11:04:3a:42:5f:ee:
6c:c3:c0:9a:6f:ed:7f:b8:ad:40:cc:67:e4:55:58:
f9:90:36:fe:92:ff:98:3c:c0:74:cb:8b:79:2f:f5:
4d:c1:c2:aa:36:e9:00:bf:15:69:98:c7:4e:ac:ed:
1c:17:15:70:dc:db:21:0e:81
prime1:
00:fd:ee:e1:13:a5:95:71:a0:28:14:45:5f:a1:95:
b4:00:88:f0:5a:9c:e2:41:d2:35:6e:13:40:8b:bd:
1f:c5:61:14:d6:44:aa:d9:96:59:86:ac:54:e0:6d:
fb:20:a9:95:7c:19:f1:dc:24:b3:0a:0a:79:75:a3:
ea:52:91:0e:a1
prime2:
00:ee:68:20:e8:15:7f:71:aa:2f:4d:df:03:a3:77:
b3:68:31:f4:be:15:cc:06:99:67:29:c3:17:ac:a3:
84:20:80:5e:cf:2e:51:21:18:28:bd:f6:6b:5e:dd:
16:af:b4:4a:b4:14:49:2d:89:4f:29:6c:cf:67:2f:
f9:49:3a:71:fd
exponent1:
00:95:e5:12:db:e4:1c:a9:6c:1e:fc:88:4f:01:35:
3b:82:2d:53:a4:49:83:8d:d3:26:53:09:ee:4a:0e:
a3:d8:81:8c:29:47:73:8a:e9:a3:83:49:ea:f8:68:
33:9b:7e:3f:8d:78:4b:3a:e6:37:01:b0:59:2e:46:
4a:25:df:16:c1
exponent2:
00:88:df:ab:94:d3:52:d9:f5:35:37:66:04:76:c3:
70:73:2f:cb:2d:9e:e2:06:1f:e8:84:a7:87:5e:0c:
7a:fd:15:f6:58:c8:64:b7:b5:61:1e:be:ed:22:07:
98:d0:c3:97:e8:0f:85:7b:e9:4b:53:a3:2e:e8:35:
38:cf:fc:08:19
coefficient:
41:f1:06:68:96:ed:6a:af:1b:2e:ee:a6:d9:56:0f:
a4:68:a0:d4:dc:81:c7:d8:bc:90:5f:c4:f8:90:bd:
65:26:21:ff:fe:67:86:9e:be:94:16:f1:71:e0:dc:
8a:33:ea:9c:a1:99:94:c6:12:e7:59:cf:2d:21:d0:
05:1a:9b:a2
$ openssl rsa -in rsa-enc-priv-xxx.pem -passin pass:test -text -noout
unable to load Private Key
140735192314332:error:0906D066:PEM routines:PEM_read_bio:bad end
line:pem_lib.c:802:
---
This email is free from viruses and malware because avast! Antivirus protection
is active.
http://www.avast.com
DTCD9C3B2F42757.ent.wfb.bank.corp_mongo_wells.pem
Description: Binary data
DTCD9C3B2F42757.ent.wfb.bank.corp_mongo_server.pem
Description: Binary data
