CODEWITHSUNDEEP
ubuntuopenssllets-encrypt
Fillype Farias
Fillype Farias

Reputation: 660

Unable to open SSL private key [Expecting: TRUSTED CERTIFICATE]

I generated SSL certificate with Let's Encrypt and they generated the files:

cert.pem | chain.pem | fullchain.pem | privkey.key | privkey.pem

With the following command I can successfully open all the files except privkey.key and privkey.pem:

openssl x509 -in [filename]

This is the error message:

unable to load certificate 140505945014720:error:0909006C:PEM routines:get_name:no start line:../crypto/pem/pem_lib.c:745:Expecting: TRUSTED CERTIFICATE

Some articles suggest that we need to convert to .der extension using this command bellow but the same error remains ('unable to load'):

openssl x509 -in privkey.pem -outform der -out privkey.der

Upvotes: 5

Views: 38196

Answers (2)

aaasdream game
aaasdream game

Reputation: 1

I got the same problem. Try this to sol:

openssl rsa -inform pem -in privkey.pem -outform der -out privkey.der

Upvotes: 0

erik258
erik258

Reputation: 16304

Private keys aren't certificates and x509 is for certificates. See https://www.openssl.org/docs/man1.1.1/man1/x509.html for information about what x509 can do, if you like.

To look at the private keys, you want pkey.
https://www.openssl.org/docs/man1.1.1/man1/openssl-pkey.html

Some articles suggest that we need to convert to .der extension

Probably so solve a different problem with the same error message. It will be shown any time openssl x509 tries to read invalid input:

$ openssl x509  <<<"not a cert"
unable to load certificate
140736021758920:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:697:Expecting: TRUSTED CERTIFICATE

Future readers, take care so you don't chase wild geese. That particular message basically means "invalid cert provided" but if you search for it you'll see a lot of information online about how to fix your cert, which won't be the same in every case. So you have to really slow down and take a look at what's going on if you see this error. It's absolutely true that some certificate formats have to be changed to a different format for x509. But all the errors will be the same.

For the record, filename "extension" is basically meaningless at the unix command line. openssl x509 doesn't base anything on the part of the filename after the last . nor do most other programs ( one notable exception is vim which uses it to guess syntax highlighting if enabled). But if you want to convert from PEM to DER or any other file format, that's not about renaming the file, it's about changing its content - with another openssl invocation, most likely. It's not about what you name them, it's what's inside.

Upvotes: 14

Related Questions