Thursday, August 18, 2011

openssl error:0906D064:PEM routines:PEM_read_bio:bad base64 decode

I had a problem today where Java keytool could read a X509 certificate file, but openssl could not. Immediately, I thought, "Oh, it must be in DER instead of PEM," but it was in PEM (plain text). Then I remembered something I stumbled upon months ago: openssl is picky about PEM certificate formatting.

1. The file must contain:
on a separate line (i.e. it must be terminated with a newline).
2. Each line of "gibberish" must be 64 characters wide.
3. The file must end with:
and also be terminated with a newline.
4. Don't save the cert text with Word. It must be in ASCII.
5. Don't mix DOS and UNIX style line terminations.

So, here are a few steps you can take to normalize your certificate:
1. Run it through dos2unix
dos2unix cert.pem
2. Run it through fold
fold -w 64 cert.pem

I hope that helps some poor soul out there pulling his/her hair out wondering what that error message means!

* OpenSSL 0.9.7a Feb 19 2003


  1. Thanks so much!

    Option 3 to normalize your certificate: Open it in WordPad. Count 64 characters over from the left, then make all the following lines the same length as that first one. :)

  2. Thank you very much. It did indeed save much of what hair I have remaining.

    This solved my problem trying to get ssl certificates from 123-reg to with nginx.

    Another error I was hitting is "PEM_read_bio:no start line error"; which came from blindly cat'ing the files together (as instructed by nginx)

  3. I had the same problem on windows:

    3624:error:0906D064:PEM routines:PEM_read_bio:bad base64 decode:.\crypto\pem\pem_lib.c:805:

    dos2unix didn't work for me, so I just opened the cert in the Windows cert shell extension, clicked "Copy to file" and created a copy of the certificate and used that. Worked fine.

  4. Opening the file in windows and saving it worked.

  5. `I hope that helps some poor soul out there pulling his/her hair out wondering what that error message means!`
    Well it did, thank you :)

  6. Awesome !! it worked for me and save my day :)

  7. I pulled a "lost" cert from AWS IAM (it is possible) and the format that it came out required the removal of all of the "\n" characters, restructuring the Begin and End lines, and also the "fold -w 64 whatever.pem" in order to get it back to a state where I could run the standard "openssl x509 -in whatever.pem -noout -text" on it.

  8. step 1,2,3 worked for me. thank you.