Can't get private key with openssl (no start line:pem_lib.c:703:Expecting: ANY PRIVATE KEY)
It looks like you have a certificate in DER
format instead of PEM
. This is why it works correctly when you provide the -inform PEM
command line argument (which tells openssl what input format to expect).
It's likely that your private key is using the same encoding. It looks as if the openssl rsa
command also accepts a -inform
argument, so try:
openssl rsa -text -in file.key -inform DER
A PEM
encoded file is a plain-text encoding that looks something like:
-----BEGIN RSA PRIVATE KEY-----
MIGrAgEAAiEA0tlSKz5Iauj6ud3helAf5GguXeLUeFFTgHrpC3b2O20CAwEAAQIh
ALeEtAIzebCkC+bO+rwNFVORb0bA9xN2n5dyTw/Ba285AhEA9FFDtx4VAxMVB2GU
QfJ/2wIRANzuXKda/nRXIyRw1ArE2FcCECYhGKRXeYgFTl7ch7rTEckCEQDTMShw
8pL7M7DsTM7l3HXRAhAhIMYKQawc+Y7MNE4kQWYe
-----END RSA PRIVATE KEY-----
While DER
is a binary encoding format.
Update
Sometimes keys are distributed in PKCS#8 format (which can be either PEM or DER encoded). Try this and see what you get:
openssl pkcs8 -in file.key -inform der
no start line:crypto/pem/pem_lib.c:745:Expecting: CERTIFICATE REQUEST
It is unclear what you are trying to do here, since you only describe the problems you run into and not what task you are trying to implement at the end. Anyway ...
openssl req -text -in certificate.pem
This line expects a certificate request. Your code instead creates a certificate (CertificateBuilder), not a certificate request. The latter would be created with x509.CertificateSigningRequestBuilder, which as expected works with the openssl req
command above.
... I get an error when I try to build a self-signed certificate with x509.CertificateBuilder.
It does not look like you get an error when building the self-signed certificate, i.e. the code to build the certificate works. Instead you get an error when using it with openssl req
. This error is expected since you did not provide a certificate request but instead a certificate. For certificates use the x509
openssl command not req
:
openssl x509 -text -in certificate.pem
Any way to get signed message using private key and signature?
What is signed is the message hash, not the message. You cannot derive a message from its hash.
error:0906D06C:PEM routines:PEM_read_bio:no start
Your RSA public key is in SubjectPublicKeyInfo PEM format, but you are trying to read it using PEM_read_bio_RSAPublicKey
which tries to read a PEM RSA key in PKCS#1 format. Try using PEM_read_bio_RSA_PUBKEY
instead.
https://www.openssl.org/docs/man1.1.0/crypto/PEM_read_bio_RSAPublicKey.html
nginx SSL no start line: expecting: TRUSTED CERTIFICATE
A "normal" certificate, once encoded in PEM will look like this:
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
(the ...
is Base64 encoding of a DER
structure)
This is normally (with the associated key, typically in separate file) the thing needed by any TLS enabled application when it wants to show its identity to the remote end.
As a side note, since it seems to be popular (wrong) belief, the filename by itself, including the extension, has explicitly no consequences on the working (or not) status of the content. You can name your files foobar.42
and buzz.666
and if their content is valid they will work as well... of course maintenance by the human would be harder, hence the convention of using often .crt
for a certificate (or .cert
for non-DOS based constrained environments) and .key
for a keyfile, and using typically the site name (for a website) or part of it for the name, such as example.com.crt
.
But again, those are only one possible set of conventions, and any program needing these files do not care about the name, just the content.
Some are using the .pem
extension also.
See https://en.wikipedia.org/wiki/X.509#Certificate_filename_extensions for all the above it has a good discussion/presentation of options.
Now in your case the error message was telling you it expected to have a content written as such:
-----BEGIN TRUSTED CERTIFICATE-----
...
-----END TRUSTED CERTIFICATE-----
the only difference being the added TRUSTED
keyword. But why, and when does it happen?
A certificate is signed by one "certificate authority" through one or more intermediates. This builds a chain of trust up to a root certificate, where the issuer is equal to the subject, this certificate signs itself.
You generated your certificate yourself, so this is a "self-signed" certificate, indistinguishable technically from a CA certificate, except that no system by default, including your own, will give trust to such certificate without specific configuration.
This is basically what the error message tells you: the application says it is loading a certificate based on your configuration that it can not validate (because it is self signed) and at the same time you did not explicitely configure it to trust it.
This may be different depending on the application or its version, because the guide at https://www.digitalocean.com/community/tutorials/how-to-create-a-self-signed-ssl-certificate-for-nginx-in-ubuntu-16-04 does basically the same thing as you and it works, but without showing the content of the certificate.
In your openssl
call, if you add -trustout
it will generate BEGIN TRUSTED CERTIFICATE
instead of BEGIN CERTIFICATE
. This may happen by default also, depending on how openssl is installed/configured on your system. On the contrary, you have -clrtrust
.
See the "Trust Settings" section of the openssl
x509
command at https://www.openssl.org/docs/man1.1.0/apps/x509.html
Related Topics
How to Read the Mouse Button State from /Dev/Input/Mice
How to Get the Interface Name/Index Associated with a Tcp Socket
What Makes a Kernel/Os Real-Time
Force Gnu Linker to Generate 32 Bit Elf Executables
Evaluating Smi (System Management Interrupt) Latency on Linux-Centos/Intel MAChine
Openssl Encoding Errors While Converting Cer to Pem
Linux Run Kernel Probe Systemtap Script Failed with Semantic Error: No Match"
Does Awk Cr Lf Handling Break on Cygwin
Return Code When Os Kills Your Process
How to Specify Non-Capturing Groups in Sed
How to Disable Socket Creation for a Linux Process, for Sandboxing
How to Program for Linux's New 'Fanotify' File System Monitoring Feature
How to Compile Glibc 32Bit on an X86_64 MAChine
Installing Gnuplot 5.0 on Ubuntu
Check That There Are at Least Two Arguments Given in a Bash Script
Error: Clgetplatformids -1001 When Running Opencl Code (Linux)