I had a problem today where Java keytool could read a X509 certificate file, but openssl could not. Immediately, I thought, "Oh, it must be in DER instead of PEM," but it was in PEM (plain text). Then I remembered something I stumbled upon months ago: openssl is picky about PEM certificate formatting.
1. The file must contain:
-----BEGIN CERTIFICATE-----
on a separate line (i.e. it must be terminated with a newline).
2. Each line of "gibberish" must be 64 characters wide.
3. The file must end with:
-----END CERTIFICATE-----
and also be terminated with a newline.
4. Don't save the cert text with Word. It must be in ASCII.
5. Don't mix DOS and UNIX style line terminations.
So, here are a few steps you can take to normalize your certificate:
1. Run it through dos2unix
dos2unix cert.pem
2. Run it through fold
fold -w 64 cert.pem
I hope that helps some poor soul out there pulling his/her hair out wondering what that error message means!
Pre-req's:
* OpenSSL 0.9.7a Feb 19 2003
* RHEL5
Thanks so much!
ReplyDeleteOption 3 to normalize your certificate: Open it in WordPad. Count 64 characters over from the left, then make all the following lines the same length as that first one. :)
Solved my problem. Thank you sir.
ReplyDeleteFantastic ... thank you mate!
ReplyDeleteThank you very much. It did indeed save much of what hair I have remaining.
ReplyDeleteThis solved my problem trying to get ssl certificates from 123-reg to with nginx.
Another error I was hitting is "PEM_read_bio:no start line error"; which came from blindly cat'ing the files together (as instructed by nginx)
I had the same problem on windows:
ReplyDelete3624:error:0906D064:PEM routines:PEM_read_bio:bad base64 decode:.\crypto\pem\pem_lib.c:805:
dos2unix didn't work for me, so I just opened the cert in the Windows cert shell extension, clicked "Copy to file" and created a copy of the certificate and used that. Worked fine.