Can't Get Private Key with Openssl (No Start Line:Pem_Lib.C:703:Expecting: Any Private Key)

Can't get private key with openssl (no start line:pem_lib.c:703:Expecting: ANY PRIVATE KEY)

It looks like you have a certificate in DER format instead of PEM. This is why it works correctly when you provide the -inform PEM command line argument (which tells openssl what input format to expect).

It's likely that your private key is using the same encoding. It looks as if the openssl rsa command also accepts a -inform argument, so try:

openssl rsa -text -in file.key -inform DER

A PEM encoded file is a plain-text encoding that looks something like:

-----BEGIN RSA PRIVATE KEY-----
MIGrAgEAAiEA0tlSKz5Iauj6ud3helAf5GguXeLUeFFTgHrpC3b2O20CAwEAAQIh
ALeEtAIzebCkC+bO+rwNFVORb0bA9xN2n5dyTw/Ba285AhEA9FFDtx4VAxMVB2GU
QfJ/2wIRANzuXKda/nRXIyRw1ArE2FcCECYhGKRXeYgFTl7ch7rTEckCEQDTMShw
8pL7M7DsTM7l3HXRAhAhIMYKQawc+Y7MNE4kQWYe
-----END RSA PRIVATE KEY-----

While DER is a binary encoding format.

Update

Sometimes keys are distributed in PKCS#8 format (which can be either PEM or DER encoded). Try this and see what you get:

openssl pkcs8 -in file.key -inform der

no start line:crypto/pem/pem_lib.c:745:Expecting: CERTIFICATE REQUEST

It is unclear what you are trying to do here, since you only describe the problems you run into and not what task you are trying to implement at the end. Anyway ...

openssl req -text -in certificate.pem

This line expects a certificate request. Your code instead creates a certificate (CertificateBuilder), not a certificate request. The latter would be created with x509.CertificateSigningRequestBuilder, which as expected works with the openssl req command above.

... I get an error when I try to build a self-signed certificate with x509.CertificateBuilder.

It does not look like you get an error when building the self-signed certificate, i.e. the code to build the certificate works. Instead you get an error when using it with openssl req. This error is expected since you did not provide a certificate request but instead a certificate. For certificates use the x509 openssl command not req:

  openssl x509 -text -in certificate.pem

Any way to get signed message using private key and signature?

What is signed is the message hash, not the message. You cannot derive a message from its hash.

error:0906D06C:PEM routines:PEM_read_bio:no start

Your RSA public key is in SubjectPublicKeyInfo PEM format, but you are trying to read it using PEM_read_bio_RSAPublicKey which tries to read a PEM RSA key in PKCS#1 format. Try using PEM_read_bio_RSA_PUBKEY instead.

https://www.openssl.org/docs/man1.1.0/crypto/PEM_read_bio_RSAPublicKey.html

nginx SSL no start line: expecting: TRUSTED CERTIFICATE

A "normal" certificate, once encoded in PEM will look like this:

-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

(the ... is Base64 encoding of a DER structure)

This is normally (with the associated key, typically in separate file) the thing needed by any TLS enabled application when it wants to show its identity to the remote end.

As a side note, since it seems to be popular (wrong) belief, the filename by itself, including the extension, has explicitly no consequences on the working (or not) status of the content. You can name your files foobar.42 and buzz.666 and if their content is valid they will work as well... of course maintenance by the human would be harder, hence the convention of using often .crt for a certificate (or .cert for non-DOS based constrained environments) and .key for a keyfile, and using typically the site name (for a website) or part of it for the name, such as example.com.crt.
But again, those are only one possible set of conventions, and any program needing these files do not care about the name, just the content.
Some are using the .pem extension also.

See https://en.wikipedia.org/wiki/X.509#Certificate_filename_extensions for all the above it has a good discussion/presentation of options.

Now in your case the error message was telling you it expected to have a content written as such:

-----BEGIN TRUSTED CERTIFICATE-----
...
-----END TRUSTED CERTIFICATE-----

the only difference being the added TRUSTED keyword. But why, and when does it happen?

A certificate is signed by one "certificate authority" through one or more intermediates. This builds a chain of trust up to a root certificate, where the issuer is equal to the subject, this certificate signs itself.

You generated your certificate yourself, so this is a "self-signed" certificate, indistinguishable technically from a CA certificate, except that no system by default, including your own, will give trust to such certificate without specific configuration.

This is basically what the error message tells you: the application says it is loading a certificate based on your configuration that it can not validate (because it is self signed) and at the same time you did not explicitely configure it to trust it.

This may be different depending on the application or its version, because the guide at https://www.digitalocean.com/community/tutorials/how-to-create-a-self-signed-ssl-certificate-for-nginx-in-ubuntu-16-04 does basically the same thing as you and it works, but without showing the content of the certificate.

In your openssl call, if you add -trustout it will generate BEGIN TRUSTED CERTIFICATE instead of BEGIN CERTIFICATE. This may happen by default also, depending on how openssl is installed/configured on your system. On the contrary, you have -clrtrust.
See the "Trust Settings" section of the openssl x509 command at https://www.openssl.org/docs/man1.1.0/apps/x509.html

---

Related Topics