OpenSSL PEM routines PEM read bio no start line pem lib c 703 Expecting TRUSTED CERTIFICATE

Question

I need a hash-name for file for posting in Stunnel s CApath directory  I have got some certs in this directory and they are working well  Also  I have a server sert and server key   cert   c  Program Files  x86  stunnel server cert pem  key   c  Program gt  Files  x86  stunnel private server key pem   When I try to calculate a hash of my new cert  I get an error     etc pki tls misc c hash cert pem  unable to load certificate 140603809879880 error 0906D06C PEM routines PEM read bio no start line pem lib c 703 Expecting  TRUSTED CERTIFICATE   As I understand I must sign my cert  but I don t understand how I can do that   Please  provide the solution   P S    The message   unable to load certificate 140603809879880 error 0906D06C PEM routines PEM read bio no start line pem lib c 703 Expecting  TRUSTED CERTIFICATE    posted when I made c hash for cert pem This is not server cert pem  this is Root CA and it is content something like   -----BEGIN CERTIFICATE-----      6UXBNSDVg5rSx60      -----END CERTIFICATE-----   When I write   openssl x509 -noout -text -in cert pem   In console panel I see this info       Certificate      Data          Version  3  0x2          Serial Number  1  0x1      Signature Algorithm  sha1WithRSAEncryption         Issuer  C BE  ST BB  L BB  O BANKSYS NV  OU SCY  CN TEST Root CA         Validity             Not Before  May 31 08 06 40 2005 GMT             Not After   May 31 08 06 40 2020 GMT         Subject  C BE  ST BB  L BB  O BB NV  OU SCY  CN TEST Root CA         Subject Public Key Info              Public Key Algorithm  rsaEncryption                 Public-Key   2048 bit                  Modulus                      00 82 c8 58 1e e5 7a b2 63 a6 15 bd f9 bb 1f                               Exponent  65537  0x10001          X509v3 extensions              X509v3 Basic Constraints  critical                 CA TRUE             X509v3 Key Usage  critical                 Certificate Sign  CRL Sign             X509v3 Subject Key Identifier                  76 70 AB 92 9B B1 26 CE 9E 93 D8 77 4F 78 0D B8 D4 6C DA C6     Signature Algorithm  sha1WithRSAEncryption          2c 7e bd 3f da 48 a4 df 8d 7c 96 58 f7 87 bd e7 16 24

User · Answer

My situation was a little different  The solution was to strip the  pem from everything outside of the CERTIFICATE and PRIVATE KEY sections and to invert the order which they appeared  After converting from pfx to pem file  the certificate looked like this   Bag Attributes localKeyID      issuer     -----BEGIN CERTIFICATE-----     -----END CERTIFICATE----- Bag Attributes more garbage    -----BEGIN PRIVATE KEY-----     -----END PRIVATE KEY-----   After correcting the file  it was just   -----BEGIN PRIVATE KEY-----     -----END PRIVATE KEY----- -----BEGIN CERTIFICATE-----     -----END CERTIFICATE-----

User · Answer

Since you are on Windows  make sure that your certificate in Windows  compatible   most importantly that it doesn t have  M in the end of each line  If you open it it will look like this   -----BEGIN CERTIFICATE----- M MIIDITCCAoqgAwIBAgIQL9 89q6RUm0PmqPfQDQ mjANBgkqhkiG9w0BAQUFADBM M   To solve  this  open it with Write or Notepad   and have it convert it to Windows  style  Try to run openssl x509 -text -inform DER -in server cert pem and see what the output is  it is unlikely that a private secret key would be untrusted  trust only is needed if you exported the key from a keystore  did you

User · Answer

Change encoding in notepad   UTF-8 with BOM  That is how it worked for me

User · Answer

You can get this misleading error if you naively try to do this    clear  - gt  Private Key Encrypt - gt   encrypted  - gt  Public Key Decrypt - gt   clear    Encrypting data using a private key is not allowed by design    You can see from the command line options for open ssl that the only options to encrypt - gt  decrypt go in one direction public - gt  private     -encrypt        encrypt with public key   -decrypt        decrypt with private key   The other direction is intentionally prevented because public keys basically  can be guessed   So  encrypting with a private key means the only thing you gain is verifying the author has access to the private key   The private key encrypt - gt  public key decrypt direction is called  signing  to differentiate it from being a technique that can actually secure data     -sign           sign with private key   -verify         verify with public key   Note  my description is a simplification for clarity  Read this answer for more information

User · Answer

Another possible cause of this is trying to use the  x509  module on something that is not X 509  The server certificate is X 509 format  but the private key is RSA  So  openssl rsa -noout -text -in privkey pem openssl x509 -noout -text -in servercert pem

User · Answer

I had the same issue using Windows  got if fixed by opening it in Notepad   and changing the encoding from  UCS-2 LE BOM  to  UTF-8

User · Answer

My mistake was simply using the CSR file instead of the CERT file

[windows] OpenSSL: PEM routines:PEM_read_bio:no start line:pem_lib.c:703:Expecting: TRUSTED CERTIFICATE

Examples related to windows

Examples related to openssl

Examples related to certificate

Examples related to trusted