OpenSSL: PEM routines:PEM_read_bio:no start line:pem_lib.c:703:Expecting: TRUSTED CERTIFICATE

windows openssl certificate trusted
lsv picture lsv · Dec 30, 2013 · Viewed 431.9k times · Source

I need a hash-name for file for posting in Stunnel's CApath directory. I have got some certs in this directory and they are working well. Also, I have a server sert and server key:

cert = c:\Program Files (x86)\stunnel\server_cert.pem 
key = c:\Program> Files (x86)\stunnel\private\server_key.pem

When I try to calculate a hash of my new cert, I get an error: 

/etc/pki/tls/misc/c_hash cert.pem

unable to load certificate 140603809879880:error:0906D06C:PEM
routines:PEM_read_bio:no start line:pem_lib.c:703:Expecting: TRUSTED CERTIFICATE

As I understand I must sign my cert, but I don't understand how I can do that. Please, provide the solution.

P.S.:

The message 

unable to load certificate 140603809879880:error:0906D06C:PEM
routines:PEM_read_bio:no start line:pem_lib.c:703:Expecting: TRUSTED CERTIFICATE:

posted when I made c_hash for cert.pem This is not server_cert.pem, this is Root_CA and it is content something like 

-----BEGIN CERTIFICATE-----  
...6UXBNSDVg5rSx60=.. 

-----END CERTIFICATE-----

When I write 

openssl x509 -noout -text -in cert.pem

In console panel I see this info:

    Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=BE, ST=BB, L=BB, O=BANKSYS NV, OU=SCY, CN=TEST Root CA
        Validity
            Not Before: May 31 08:06:40 2005 GMT
            Not After : May 31 08:06:40 2020 GMT
        Subject: C=BE, ST=BB, L=BB, O=BB NV, OU=SCY, CN=TEST Root CA
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:82:c8:58:1e:e5:7a:b2:63:a6:15:bd:f9:bb:1f:
............
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Key Usage: critical
                Certificate Sign, CRL Sign
            X509v3 Subject Key Identifier:
                76:70:AB:92:9B:B1:26:CE:9E:93:D8:77:4F:78:0D:B8:D4:6C:DA:C6
    Signature Algorithm: sha1WithRSAEncryption
         2c:7e:bd:3f:da:48:a4:df:8d:7c:96:58:f7:87:bd:e7:16:24:
...............

Answer

Noam Rathaus picture Noam Rathaus · Dec 30, 2013

  1. Since you are on Windows, make sure that your certificate in Windows "compatible", most importantly that it doesn't have ^M in the end of each line

    If you open it it will look like this:

    -----BEGIN CERTIFICATE-----^M
MIIDITCCAoqgAwIBAgIQL9+89q6RUm0PmqPfQDQ+mjANBgkqhkiG9w0BAQUFADBM^M

    To solve "this" open it with Write or Notepad++ and have it convert it to Windows "style"

  2. Try to run openssl x509 -text -inform DER -in server_cert.pem and see what the output is, it is unlikely that a private/secret key would be untrusted, trust only is needed if you exported the key from a keystore, did you?

Related questions

OpenSSL and error in reading openssl.conf file

I am running windows xp 32bit I just downloaded Openssl from the following URL and installed it. http://www.slproweb.com/products/Win32OpenSSL.html and then i tried to create a self signed certificate by using the following command …

Read More
Can't open config file: /usr/local/ssl/openssl.cnf on Windows

I have installed OpenSSL 64. I want to use a certificate for my nodejs https server. I ran the following command: openssl genrsa -out subdomain.domain.com.key 1024 But I have got the error: WARNING: can't open config file: /usr/local/…

Read More
Unable to load config info from /usr/local/ssl/openssl.cnf on Windows

While using OpenSSL on Windows: openssl genrsa -out privatekey.pem 1024 --> Created successfully openssl req -new -x509 -key privatekey.pem -out publickey.cer -days 365 ----> Showing error message as unable to load config info from /usr/local/ssl/…

Read More