toDerInputStream rejects tag type 77

前一段时间有遇到一个很古老的关于证书的报错（toDerInputStream rejects tag type 77），异常罕见，这里有一些信息可以分享给大家。
原网站链接好像已经失效了（https://developer.salesforce.com/forums/?id=906F0000000904dIAA）
信息如下：

Yes, we solved this issue. I think the exception message is kind of misleading.

Basically, it looks like Salesforce doesn't support DER/PEM certificates and it can accept only PKCS#12 as it can contian both the certificate (and the intermediate certificates and signer certificate) and the private key in a standardized manner. Check if you are using the PEM/DER; if it is, try to export the certificate in PKCS#12 format.

In my case, the issue was little different. I did exported as PKCS#12 from IBM WebSphere Cast Iron, but I extracted only the private key from the .PFX file and embedded into the code. With the help of Salesforce support, we found that we had to base64 encode the entire certificate and embed it into the code. The process works like this:

1. Import the signed certificate into Windows Certificates MMC

2. Export this certificate by right clicking the certificate->All Tasks->Export.

3. Click 'Next' and choose 'Yes, export the private key'.

4. Click 'Next' and choose 'Personal Information Exchange - PKCS # 12 (.PFX) option. Make sure you uncheck all the sub options.

5. Enter the password and the Confirm password and click 'Next'.

6. Specify the file name and click 'Next' and click 'Finish'.

7. Install the windows distribution of openssl (http://www.slproweb.com/products/Win32OpenSSL.html) and install in your workstation.

8. Create a folder 'myca' and copy the file that you created in the last step.

9. Open a command prompt and navigate to this folder and run the following commands from the command prompt

a. set OPENSSL_CONF=c:\openssl-win32\bin\openssl.cfg (change the path if necessary)

b. set PATH=%PATH%;C:\openssl-win32\bin

c. openssl

d. base64 -in <input file name> -out <output file name>.

10. Open the output file in any text editor and copy the encoded text and embed into your code.

This fixed the issue in my case. Note that this is required only if you use the legacy method of using the certificates generated from the CSR that you created outside of Salesforce. Salesforce recommends to generate the CSR from them itself (Setup->Security Controls->Certificate and Key Management). This way, the private key is not shared outside of the salesforce.

Regards,

Hari Krishnan.

翻译为中文如下：

是的，我们解决了这个问题。我认为异常信息有点误导人。

基本上，看起来Salesforce不支持DER/PEM证书，它只能接受PKCS#12，因为它可以以标准化的方式包含证书（和中间证书和签发者证书）以及私钥。检查一下你是否在使用PEM/DER；如果是的话，尝试以PKCS#12格式导出证书。

在我的情况下，问题有点不同。我从IBM WebSphere Cast Iron中导出为PKCS#12，但我只从.PFX文件中提取了私钥并嵌入到了代码中。在Salesforce的帮助下，我们发现我们必须对整个证书进行base64编码并嵌入到代码中。流程如下：

将签名证书导入Windows证书MMC。

通过右键单击证书->所有任务->导出来导出此证书。

点击“下一步”，选择“是，导出私钥”。

点击“下一步”，选择“个人信息交换 - PKCS # 12 (.PFX)”选项。确保取消选中所有子选项。

输入密码和确认密码，然后点击“下一步”。

指定文件名，然后点击“下一步”，再点击“完成”。

安装Windows版本的openssl（http://www.slproweb.com/products/Win32OpenSSL.html）并在您的工作站上安装。

创建一个名为'myca'的文件夹，并复制您在上一步创建的文件。

打开命令提示符并导航到此文件夹，然后从命令提示符运行以下命令

a. set OPENSSL_CONF=c:\openssl-win32\bin\openssl.cfg（如果需要，更改路径）

b. set PATH=%PATH%;C:\openssl-win32\bin

c. openssl

d. base64 -in <输入文件名> -out <输出文件名>

在任何文本编辑器中打开输出文件，并复制编码文本并嵌入到您的代码中。

在我的情况下，这解决了问题。请注意，只有在您使用从Salesforce之外创建的CSR生成的证书的传统方法时才需要这样做。Salesforce建议从他们自己那里生成CSR（设置->安全控件->证书和密钥管理）。这样，私钥就不会在Salesforce之外共享。

致意，

Hari Krishnan.