Thursday, August 18, 2011

openssl error:0906D064:PEM routines:PEM_read_bio:bad base64 decode

I had a problem today where Java keytool could read a X509 certificate file, but openssl could not. Immediately, I thought, "Oh, it must be in DER instead of PEM," but it was in PEM (plain text). Then I remembered something I stumbled upon months ago: openssl is picky about PEM certificate formatting.

1. The file must contain:
-----BEGIN CERTIFICATE-----
on a separate line (i.e. it must be terminated with a newline).
2. Each line of "gibberish" must be 64 characters wide.
3. The file must end with:
-----END CERTIFICATE-----
and also be terminated with a newline.
4. Don't save the cert text with Word. It must be in ASCII.
5. Don't mix DOS and UNIX style line terminations.

So, here are a few steps you can take to normalize your certificate:
1. Run it through dos2unix
dos2unix cert.pem
2. Run it through fold
fold -w 64 cert.pem

I hope that helps some poor soul out there pulling his/her hair out wondering what that error message means!

Pre-req's:
* OpenSSL 0.9.7a Feb 19 2003
* RHEL5
Posted by at

28 comments:

  1. Taylor SJune 13, 2012 at 10:29 AM

    Thanks so much!

    Option 3 to normalize your certificate: Open it in WordPad. Count 64 characters over from the left, then make all the following lines the same length as that first one. :)

    ReplyDelete
  2. UnknownDecember 2, 2012 at 1:39 PM

    Solved my problem. Thank you sir.

    ReplyDelete
  3. "no stripes" BostonDecember 3, 2012 at 9:56 AM

    Fantastic ... thank you mate!

    ReplyDelete
  4. Craig LoftusDecember 6, 2012 at 8:11 AM

    Thank you very much. It did indeed save much of what hair I have remaining.

    This solved my problem trying to get ssl certificates from 123-reg to with nginx.

    Another error I was hitting is "PEM_read_bio:no start line error"; which came from blindly cat'ing the files together (as instructed by nginx)

    ReplyDelete
  5. CrundyFebruary 22, 2013 at 1:50 AM

    I had the same problem on windows:

    3624:error:0906D064:PEM routines:PEM_read_bio:bad base64 decode:.\crypto\pem\pem_lib.c:805:

    dos2unix didn't work for me, so I just opened the cert in the Windows cert shell extension, clicked "Copy to file" and created a copy of the certificate and used that. Worked fine.

    ReplyDelete
  6. UnknownDecember 19, 2013 at 6:41 PM

    Opening the file in windows and saving it worked.

    ReplyDelete
  7. mamdouhJune 9, 2014 at 10:37 AM

    `I hope that helps some poor soul out there pulling his/her hair out wondering what that error message means!`
    Well it did, thank you :)

    ReplyDelete
  8. UnknownJuly 31, 2014 at 5:25 AM

    Fantastic! Thank you so much...

    ReplyDelete
  9. VinayApril 9, 2015 at 12:02 PM

    Awesome !! it worked for me and save my day :)

    ReplyDelete
  10. UnknownMay 22, 2015 at 7:04 AM

    I pulled a "lost" cert from AWS IAM (it is possible) and the format that it came out required the removal of all of the "\n" characters, restructuring the Begin and End lines, and also the "fold -w 64 whatever.pem" in order to get it back to a state where I could run the standard "openssl x509 -in whatever.pem -noout -text" on it.

    ReplyDelete
  11. slaphead99October 27, 2015 at 6:30 AM

    Saved me, thanks!!!!

    ReplyDelete
  12. UnknownNovember 4, 2015 at 2:46 PM

    step 1,2,3 worked for me. thank you.

    ReplyDelete
  13. UnknownApril 21, 2016 at 1:33 PM

    Awesome. Thank you!

    ReplyDelete
  14. UnknownJuly 21, 2016 at 12:27 PM

    Fantastic article. Got my issue resolved with this.

    ReplyDelete
  15. UnknownFebruary 4, 2017 at 9:09 PM

    This comment has been removed by the author.

    ReplyDelete
  16. UnknownMarch 21, 2017 at 8:58 PM

    Thank you so much

    ReplyDelete
  17. UnknownMarch 21, 2017 at 8:58 PM

    Thank you so much

    ReplyDelete
  18. UnknownJuly 24, 2017 at 8:09 AM

    Many thanks!

    ReplyDelete
  19. AlixOctober 20, 2017 at 7:56 AM

    This helped. Thanks!

    ReplyDelete
  20. UnknownJune 27, 2018 at 11:17 PM

    Thank you so much, this works for me

    ReplyDelete
  21. UnniJuly 12, 2018 at 9:50 AM

    I am trying to validate MD5 certificate on Ubunu OS. Getting error as
    unable to load certificate
    140591104878240:error:0906D064:PEM routines:PEM_read_bio:bad base64 decode:pem_lib.c:818:
    unable to load key file

    ReplyDelete
  22. CantuáriaSeptember 21, 2018 at 2:42 PM

    Oh man! Many thanks. The 64 characters limit did the trick here.

    In case anyone is on PHP with this problem, you may use the function chunk_split to split the certificate string.

    ReplyDelete
  23. Thulasi ramNovember 14, 2018 at 11:36 PM

    It really worked :)

    ReplyDelete
  24. Tõnu SamuelApril 16, 2019 at 4:53 AM

    Year 2019 and it solved my problem. WTH LibreSSL? Why vomit on CR instead of ignoring it?

    ReplyDelete
  25. UnknownAugust 30, 2019 at 2:00 AM

    Certificate generated in linux may contain \n several times, remove it and hit a openssl command again. It solved my issue.

    ReplyDelete
  26. UnknownDecember 10, 2020 at 7:52 AM

    I opened .cer files in VSCode, and they already were formatted as
    -----BEGIN CERTIFICATE-----
    jibberish
    -----END CERTIFICATE-----

    and with regex I added \n to the end of each line, including -----END CERTIFICATE----- asauthor said and then made it one line keeping \n I'd just added, because I needed it as one line.

    I worked for me, thank you so much for your help!

    ReplyDelete
  27. ElCrisJune 7, 2021 at 4:27 PM

    Thank you for this !!! resolved my problem. :D

    ReplyDelete

Subscribe to: Post Comments (Atom)