Thursday, August 18, 2011

openssl error:0906D064:PEM routines:PEM_read_bio:bad base64 decode

I had a problem today where Java keytool could read a X509 certificate file, but openssl could not. Immediately, I thought, "Oh, it must be in DER instead of PEM," but it was in PEM (plain text). Then I remembered something I stumbled upon months ago: openssl is picky about PEM certificate formatting.

1. The file must contain:
-----BEGIN CERTIFICATE-----
on a separate line (i.e. it must be terminated with a newline).
2. Each line of "gibberish" must be 64 characters wide.
3. The file must end with:
-----END CERTIFICATE-----
and also be terminated with a newline.
4. Don't save the cert text with Word. It must be in ASCII.
5. Don't mix DOS and UNIX style line terminations.

So, here are a few steps you can take to normalize your certificate:
1. Run it through dos2unix
dos2unix cert.pem
2. Run it through fold
fold -w 64 cert.pem

I hope that helps some poor soul out there pulling his/her hair out wondering what that error message means!

Pre-req's:
* OpenSSL 0.9.7a Feb 19 2003
* RHEL5

8 comments:

  1. Thanks so much!

    Option 3 to normalize your certificate: Open it in WordPad. Count 64 characters over from the left, then make all the following lines the same length as that first one. :)

    ReplyDelete
  2. Thank you very much. It did indeed save much of what hair I have remaining.

    This solved my problem trying to get ssl certificates from 123-reg to with nginx.

    Another error I was hitting is "PEM_read_bio:no start line error"; which came from blindly cat'ing the files together (as instructed by nginx)

    ReplyDelete
  3. I had the same problem on windows:

    3624:error:0906D064:PEM routines:PEM_read_bio:bad base64 decode:.\crypto\pem\pem_lib.c:805:

    dos2unix didn't work for me, so I just opened the cert in the Windows cert shell extension, clicked "Copy to file" and created a copy of the certificate and used that. Worked fine.

    ReplyDelete
  4. Opening the file in windows and saving it worked.

    ReplyDelete
  5. `I hope that helps some poor soul out there pulling his/her hair out wondering what that error message means!`
    Well it did, thank you :)

    ReplyDelete