I had a problem today where Java keytool could read a X509 certificate file, but openssl could not. Immediately, I thought, "Oh, it must be in DER instead of PEM," but it was in PEM (plain text). Then I remembered something I stumbled upon months ago: openssl is picky about PEM certificate formatting.
1. The file must contain:
-----BEGIN CERTIFICATE-----
on a separate line (i.e. it must be terminated with a newline).
2. Each line of "gibberish" must be 64 characters wide.
3. The file must end with:
-----END CERTIFICATE-----
and also be terminated with a newline.
4. Don't save the cert text with Word. It must be in ASCII.
5. Don't mix DOS and UNIX style line terminations.
So, here are a few steps you can take to normalize your certificate:
1. Run it through dos2unix
dos2unix cert.pem
2. Run it through fold
fold -w 64 cert.pem
I hope that helps some poor soul out there pulling his/her hair out wondering what that error message means!
Pre-req's:
* OpenSSL 0.9.7a Feb 19 2003
* RHEL5
