Thursday, August 18, 2011

openssl error:0906D064:PEM routines:PEM_read_bio:bad base64 decode

I had a problem today where Java keytool could read a X509 certificate file, but openssl could not. Immediately, I thought, "Oh, it must be in DER instead of PEM," but it was in PEM (plain text). Then I remembered something I stumbled upon months ago: openssl is picky about PEM certificate formatting.

1. The file must contain:
-----BEGIN CERTIFICATE-----
on a separate line (i.e. it must be terminated with a newline).
2. Each line of "gibberish" must be 64 characters wide.
3. The file must end with:
-----END CERTIFICATE-----
and also be terminated with a newline.
4. Don't save the cert text with Word. It must be in ASCII.
5. Don't mix DOS and UNIX style line terminations.

So, here are a few steps you can take to normalize your certificate:
1. Run it through dos2unix
dos2unix cert.pem
2. Run it through fold
fold -w 64 cert.pem

I hope that helps some poor soul out there pulling his/her hair out wondering what that error message means!

Pre-req's:
* OpenSSL 0.9.7a Feb 19 2003
* RHEL5

28 comments:

  1. Thanks so much!

    Option 3 to normalize your certificate: Open it in WordPad. Count 64 characters over from the left, then make all the following lines the same length as that first one. :)

    ReplyDelete
  2. Solved my problem. Thank you sir.

    ReplyDelete
  3. Thank you very much. It did indeed save much of what hair I have remaining.

    This solved my problem trying to get ssl certificates from 123-reg to with nginx.

    Another error I was hitting is "PEM_read_bio:no start line error"; which came from blindly cat'ing the files together (as instructed by nginx)

    ReplyDelete
  4. I had the same problem on windows:

    3624:error:0906D064:PEM routines:PEM_read_bio:bad base64 decode:.\crypto\pem\pem_lib.c:805:

    dos2unix didn't work for me, so I just opened the cert in the Windows cert shell extension, clicked "Copy to file" and created a copy of the certificate and used that. Worked fine.

    ReplyDelete
  5. Opening the file in windows and saving it worked.

    ReplyDelete
  6. `I hope that helps some poor soul out there pulling his/her hair out wondering what that error message means!`
    Well it did, thank you :)

    ReplyDelete
  7. Fantastic! Thank you so much...

    ReplyDelete
  8. Awesome !! it worked for me and save my day :)

    ReplyDelete
  9. I pulled a "lost" cert from AWS IAM (it is possible) and the format that it came out required the removal of all of the "\n" characters, restructuring the Begin and End lines, and also the "fold -w 64 whatever.pem" in order to get it back to a state where I could run the standard "openssl x509 -in whatever.pem -noout -text" on it.

    ReplyDelete
  10. step 1,2,3 worked for me. thank you.

    ReplyDelete
  11. Fantastic article. Got my issue resolved with this.

    ReplyDelete
  12. This comment has been removed by the author.

    ReplyDelete
  13. Thank you so much, this works for me

    ReplyDelete
  14. I am trying to validate MD5 certificate on Ubunu OS. Getting error as
    unable to load certificate
    140591104878240:error:0906D064:PEM routines:PEM_read_bio:bad base64 decode:pem_lib.c:818:
    unable to load key file

    ReplyDelete
  15. Oh man! Many thanks. The 64 characters limit did the trick here.

    In case anyone is on PHP with this problem, you may use the function chunk_split to split the certificate string.

    ReplyDelete
  16. Year 2019 and it solved my problem. WTH LibreSSL? Why vomit on CR instead of ignoring it?

    ReplyDelete
  17. Certificate generated in linux may contain \n several times, remove it and hit a openssl command again. It solved my issue.

    ReplyDelete
  18. I opened .cer files in VSCode, and they already were formatted as
    -----BEGIN CERTIFICATE-----
    jibberish
    -----END CERTIFICATE-----

    and with regex I added \n to the end of each line, including -----END CERTIFICATE----- asauthor said and then made it one line keeping \n I'd just added, because I needed it as one line.

    I worked for me, thank you so much for your help!

    ReplyDelete
  19. Thank you for this !!! resolved my problem. :D

    ReplyDelete