Search code examples
ubuntuopenssllets-encrypt

Unable to open SSL private key [Expecting: TRUSTED CERTIFICATE]

I generated SSL certificate with Let's Encrypt and they generated the files:

cert.pem | chain.pem | fullchain.pem | privkey.key | privkey.pem

With the following command I can successfully open all the files except privkey.key and privkey.pem:

openssl x509 -in [filename]

This is the error message:

unable to load certificate 140505945014720:error:0909006C:PEM routines:get_name:no start line:../crypto/pem/pem_lib.c:745:Expecting: TRUSTED CERTIFICATE

Some articles suggest that we need to convert to .der extension using this command bellow but the same error remains ('unable to load'):

openssl x509 -in privkey.pem -outform der -out privkey.der
Solution

  • Private keys aren't certificates and x509 is for certificates. See https://www.openssl.org/docs/man1.1.1/man1/x509.html for information about what x509 can do, if you like.

    To look at the private keys, you want pkey.
    https://www.openssl.org/docs/man1.1.1/man1/openssl-pkey.html

    Some articles suggest that we need to convert to .der extension

    Probably so solve a different problem with the same error message. It will be shown any time openssl x509 tries to read invalid input:

    $ openssl x509  <<<"not a cert"
unable to load certificate
140736021758920:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:697:Expecting: TRUSTED CERTIFICATE

    Future readers, take care so you don't chase wild geese. That particular message basically means "invalid cert provided" but if you search for it you'll see a lot of information online about how to fix your cert, which won't be the same in every case. So you have to really slow down and take a look at what's going on if you see this error. It's absolutely true that some certificate formats have to be changed to a different format for x509. But all the errors will be the same.

    For the record, filename "extension" is basically meaningless at the unix command line. openssl x509 doesn't base anything on the part of the filename after the last . nor do most other programs ( one notable exception is vim which uses it to guess syntax highlighting if enabled). But if you want to convert from PEM to DER or any other file format, that's not about renaming the file, it's about changing its content - with another openssl invocation, most likely. It's not about what you name them, it's what's inside.