RE: cannot read PEM key file - no start line

Liz Fall Mon, 08 Sep 2014 20:18:55 -0700

Viktor and all:

Thanks for your response.


I am trying to connect to a MongoDB SSL-enable database.  This is the API:

#include "mongo/util/net/ssl_options.h"
#include "mongo/client/init.h"
  
int main() {
    sslGlobalParams.sslMode.store(SSLGlobalParams::SSLMode_requireSSL);
     
    // only really need a PEM on the server side
    mongo::sslGlobalParams.sslPEMKeyFile = "<path/to/keyfile.pem>";
  
    mongo::Status status = mongo::client::initialize();
  
    if (!status.isOK())
        ::abort();
  
    DBClientConnection c;
    c.connect("hostname.whatever.com"); // outgoing connections are SSL
}

My question to MongoDB support was:  From the code above, the comment states
that there is only a need of a PEM on the server side. What identifies the
"key store" on the C++ client server? Is as key store not required on the
C++ linux server where my application is running?

MongoDB support response was:  That is correct. For encrypted communications
only the MongoDB server needs a PEM file.

I am just not sure what I am supposed to be providing as far as the
sslPEMKeyFile.  I have these certificates:

.       DTCD9C3B2F42757.ent.wfb.bank.corp_mongo_server.pem
.       private key of DTCD9C3B2F42757.ent.wfb.bank.corp machine
.       certificate for DTCD9C3B2F42757.ent.wfb.bank.corp, signed by WF
Enterprise CA 02
 
.       DTCD9C3B2F42757.ent.wfb.bank.corp_mongo_wells.pem
.       WF Enterprise CA 02 certificate, signed by WF Root
.       WF Root certificate


Can someone please help clarify this?  

Thanks,
Liz 

-----Original Message-----
From: owner-openssl-us...@openssl.org
[mailto:owner-openssl-us...@openssl.org] On Behalf Of Viktor Dukhovni
Sent: Monday, September 08, 2014 7:54 PM
To: openssl-users@openssl.org
Subject: Re: cannot read PEM key file - no start line

On Mon, Sep 08, 2014 at 07:44:56PM -0700, Liz Fall wrote:

> This is what my cert looks like below:  What are you saying I should do?
> Thanks for the clarification.

These are the certificates for an intermediate CA and the issuing root CA.
Generally, you'd append these to a certificate file with the server
certificate as the first entry, and a corresponding private key in some
other (not world-readable) file.

subject= /C=US/O=Wells Fargo/OU=Wells Fargo Certificate Authorities/CN=Wells
Fargo Enterprise CA 02 issuer= /C=US/O=Wells Fargo/OU=Wells Fargo
Certification Authority/CN=Wells Fargo Root Certificate Authority
notBefore=May 28 18:17:26 2009 GMT notAfter=May 28 18:17:26 2019 GMT
SHA1 Fingerprint=DD:B1:96:37:D9:9D:EC:8F:05:A2:B1:38:BC:11:D4:AF:ED:0A:BE:39
-----BEGIN CERTIFICATE-----
MIIFrDCCBJSgAwIBAgIEQLJp/DANBgkqhkiG9w0BAQUFADCBgjELMAkGA1UEBhMC
VVMxFDASBgNVBAoTC1dlbGxzIEZhcmdvMSwwKgYDVQQLEyNXZWxscyBGYXJnbyBD
ZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTEvMC0GA1UEAxMmV2VsbHMgRmFyZ28gUm9v
dCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMDkwNTI4MTgxNzI2WhcNMTkwNTI4
MTgxNzI2WjB4MQswCQYDVQQGEwJVUzEUMBIGA1UEChMLV2VsbHMgRmFyZ28xLDAq
BgNVBAsTI1dlbGxzIEZhcmdvIENlcnRpZmljYXRlIEF1dGhvcml0aWVzMSUwIwYD
VQQDExxXZWxscyBGYXJnbyBFbnRlcnByaXNlIENBIDAyMIIBIjANBgkqhkiG9w0B
AQEFAAOCAQ8AMIIBCgKCAQEAm1mEVgXlHHbd4DrKFIROTf6Q5JwzJEtjFiWN4lQs
EvKeVN1p7/ua16c0gFhizQvuD002pttUG7Tn6uUonUYxJajD2TnykAQu1m5Ks1gi
sNgYCGzH8tluKeWYANppSRt5F1Is3YtsNOGiYtVFnZf3FejOzVWkhnT5rYXjTf9O
su5KK1Jh7NywbFU5P2ytC4h/M9xnlHuCjy7RBmN956iG7Eb+BBrvo7ZfTfzWuFzm
vficKovoDbZOloLHHsRzj2iQ2euY+xW/g+Zn1lHPQCZfTdLgPUcnV7qpP+1fRVy5
hNLQTw3nBrNa5RLIZK8RBpY6kig4wWhyNKP+9Ssc2m34lQIDAQABo4ICMTCCAi0w
DwYDVR0TAQH/BAUwAwEB/zCBgwYDVR0gBHwwejA7BgtghkgBhvt7g3QAADAsMCoG
CCsGAQUFBwIBFh5odHRwOi8vd3d3LndlbGxzZmFyZ28uY29tL2Nwcy8wOwYLYIZI
AYb7e4N0AAEwLDAqBggrBgEFBQcCARYeaHR0cDovL3d3dy53ZWxsc2ZhcmdvLmNv
bS9jcHMvMHcGCCsGAQUFBwEBBGswaTAwBggrBgEFBQcwAYYkaHR0cDovL29jc3At
cm9vdC5wa2kud2VsbHNmYXJnby5jb20vMDUGCCsGAQUFBzAChilodHRwOi8vY3Js
LnBraS53ZWxsc2ZhcmdvLmNvbS93Zl9yb290LmNydDAOBgNVHQ8BAf8EBAMCAfYw
gbIGA1UdIwSBqjCBp4AUFK8Y973m52vjWvrqUe/+1FpxOcChgYikgYUwgYIxCzAJ
BgNVBAYTAlVTMRQwEgYDVQQKEwtXZWxscyBGYXJnbzEsMCoGA1UECxMjV2VsbHMg
RmFyZ28gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxLzAtBgNVBAMTJldlbGxzIEZh
cmdvIFJvb3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5ggQ55JeeMDcGA1UdHwQwMC4w
LKAqoCiGJmh0dHA6Ly9jcmwucGtpLndlbGxzZmFyZ28uY29tL3Jvb3QuY3JsMB0G
A1UdDgQWBBTEq0W2OgsBHGJcyj/H480vMMRX1zANBgkqhkiG9w0BAQUFAAOCAQEA
LUIw6yFNj7mrTSIuqtT6rsAXgKApylI3HtepbWa6qxEmmDDjCAaOxXZKShTxBQa6
qSpYFg0KFxqKsNiot8CAEMxXcapr5OLwytTFvnDSRa9H+mlLT6jpZi8C3fbqEvbV
eh7NjT4oj8fNbsf13UgN0xxlgiez47locWVADdYP/RucG31o+8OqJaZ/+AWsc+B6
LoQ9jaYlYaiXXERQopLS8dxTeGp8pvmdYK4ghHG/AwLW0fEcaqQOqrBcf8A+3/RQ
YEdJ62vZ8Q9T6HwbdPr0zToqeVM5i+DgLjy2fq1eEp6a5In0N78tkgEr8NPlpPgb
93C6T8kNYioQY20dNklqLQ==
-----END CERTIFICATE-----

subject= /C=US/O=Wells Fargo/OU=Wells Fargo Certification Authority/CN=Wells
Fargo Root Certificate Authority issuer= /C=US/O=Wells Fargo/OU=Wells Fargo
Certification Authority/CN=Wells Fargo Root Certificate Authority
notBefore=Oct 11 16:41:28 2000 GMT notAfter=Jan 14 16:41:28 2021 GMT
SHA1 Fingerprint=93:E6:AB:22:03:03:B5:23:28:DC:DA:56:9E:BA:E4:D1:D1:CC:FB:65
-----BEGIN CERTIFICATE-----
MIID5TCCAs2gAwIBAgIEOeSXnjANBgkqhkiG9w0BAQUFADCBgjELMAkGA1UEBhMC
VVMxFDASBgNVBAoTC1dlbGxzIEZhcmdvMSwwKgYDVQQLEyNXZWxscyBGYXJnbyBD
ZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTEvMC0GA1UEAxMmV2VsbHMgRmFyZ28gUm9v
dCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMDAxMDExMTY0MTI4WhcNMjEwMTE0
MTY0MTI4WjCBgjELMAkGA1UEBhMCVVMxFDASBgNVBAoTC1dlbGxzIEZhcmdvMSww
KgYDVQQLEyNXZWxscyBGYXJnbyBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTEvMC0G
A1UEAxMmV2VsbHMgRmFyZ28gUm9vdCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDVqDM7Jvk0/82bfuUER84A4n13
5zHCLielTWi5MbqNQ1mXx3Oqfz1cQJ4F5aHiidlMuD+b+Qy0yGIZLEWukR5zcUHE
SxP9cMIlrCL1dQu3U+SlK93OvRw6esP3E48mVJwWa2uv+9iWsWCaSOAlIiR5NM4O
JgALTqv9i86C1y8IcGjBqAr5dE8Hq6T54oN+J3N0Prj5OEL8pahbSCOz6+MlsoCu
ltQKnMJ4msZoGK43YjdeUXWoWGPAUe5AeH6orxqg4bB4nVCMe+ez/I4jsNtlAHCE
AQgAFG5Uhpq6zPk3EPbg3oQtnaSFN9OH4xXQwReQfhkhahKpdv0SAulPIV4XAgMB
AAGjYTBfMA8GA1UdEwEB/wQFMAMBAf8wTAYDVR0gBEUwQzBBBgtghkgBhvt7hwcB
CzAyMDAGCCsGAQUFBwIBFiRodHRwOi8vd3d3LndlbGxzZmFyZ28uY29tL2NlcnRw
b2xpY3kwDQYJKoZIhvcNAQEFBQADggEBANIn3ZwKdyu7IvICtUpKkfnRLb7kuxpo
7w6kAOnu5+/u9vnldKTC2FJYxHT7zmu1Oyl5GFrvm+0fazbuSCUlFLZWohDo7qd/
0D+j0MNdJu4HzMPBJCGHHt8qElNvQRbn7a6U+oxy+hNH8Dx+rn0ROhPs7fpvcmR7
nX1/Jv16+yWt6j4pf0zjAFcysLPp7VMX2YuyFA4w6OXVE8Zkr8QA1dhYJPz1j+zx
x32l2w8n0cbyQIjmH/ZhqPRCyLk306m+LFZ4wnKbWV01QIroTmMatukgalHizqSQ
33ZwmVxwQ023tqcZZE6St8WRPH9IFmV7Fv3L/PvZ1dZPIWU7Sn9Ho/s=
-----END CERTIFICATE-----

-- 
        Viktor.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org


---
This email is free from viruses and malware because avast! Antivirus protection 
is active.
http://www.avast.com

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

RE: cannot read PEM key file - no start line

Reply via email to