Unable to load certificate expecting trusted certificate

"Mitchel, Jennifer (Jem)" wrote:
> I have generated my key pair. I have generated my certificate
> signing request sent it to my CA and gotten my certificate back...
> I named it server.crt
> I am trying to use ssl to verify the certificate. I have the key pair,
> csr & server.crt all in <install>/bin so no other path is needed to the files.

> I am typing the command: ./openssl x509 -noout -text -in server.crt

> and I am getting the error:

> unable to load certificate

> 19713:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:663:Expecting: TRUSTED CERTIFICATE

> Can someone tell me what it is I'm missing.

It might not be this simple, but could you check to see that the
certificate file is readable and has the appropriate "start line"
(which is what the code is complaining about)? A certificate in
PEM format looks like this:

-----BEGIN CERTIFICATE-----
MIIDjjCCAvegAwIBAgIDAKqqMA0GCSqGSIb3DQEBBAUAMIGKMQswCQYDVQQGEwJV
UzERMA8GA1UECBMITWFyeWxhbmQxGTAXBgNVBAoTEFVNQ1AvT0lUL1RTUy9FSVMx
MDAuBgNVBAMTJ1VNQ1AvT0lUL1RTUy9FSVMgU2VsZlNpZ25lZCBDQSAoY2VydCBB
KTEbMBkGCSqGSIb3DQEJARYMemJlbkB1bWQuZWR1MB4XDTAyMDIyMTE4MjYxM1oX
DTA3MDIyMDE4MjYxM1owgYwxCzAJBgNVBAYTAlVTMREwDwYDVQQIEwhNYXJ5bGFu
ZDEZMBcGA1UEChMQVU1DUC9PSVQvVFNTL0VJUzEyMDAGA1UEAxMpVU1DUC9PSVQv
VFNTL0VJUyBJbnRlcm1lZGlhdGUgQ0EgKGNlcnQgQikxGzAZBgkqhkiG9w0BCQEW
DHpiZW5AdW1kLmVkdTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAy1aSf+oR
KjdW4GuofJrnuRDwcGRmJ66uEZLwlvngQJpKvKMtirooG9JwRgH/MiQYzNZytj2C
yCfwNbUpVB+hkf3ow82xJAk+qotM6+GGfsa5o2GPF2CyzkCi81jA9p/P9Zlmjx/2
04c2J68s5MC5PvGUyzHZN9Cz4Wmw3HwVzakCAwEAAaOB/TCB+jAdBgNVHQ4EFgQU
I8XlxJOCRIGw/kvMKhvOPqr6TRIwgbcGA1UdIwSBrzCBrIAUmi04P8/gAUxR7/Hc
OTlGa2rXu0ehgZCkgY0wgYoxCzAJBgNVBAYTAlVTMREwDwYDVQQIEwhNYXJ5bGFu
ZDEZMBcGA1UEChMQVU1DUC9PSVQvVFNTL0VJUzEwMC4GA1UEAxMnVU1DUC9PSVQv
VFNTL0VJUyBTZWxmU2lnbmVkIENBIChjZXJ0IEEpMRswGQYJKoZIhvcNAQkBFgx6
YmVuQHVtZC5lZHWCAQAwDAYDVR0TBAUwAwEB/zARBglghkgBhvhCAQEEBAMCAgQw
DQYJKoZIhvcNAQEEBQADgYEAEipQP8YEZOZdWuZXhvleKlscEXrSbLs9qzdfxMTB
0uulvLBba+QwaTUyTmbeCgTD3Rjib12o0VX8jEJospiMnZmPaj/4fy3rULTFhvBY
Kl309wj7a2lfbJF/6ip5xr1pHgPEGFAZbSGygOibuuHsIeb3HA0YWa6H3UJlFVuU
n8A=
-----END CERTIFICATE-----

If the certificate is a jumble of binary data try adding -inform der
in case the cert is in der format:

./openssl x509 -noout -text -inform der -in server.crt

It is easy to translate between the two formats using much the
same command:

der to pem:
./openssl x509 -inform der -outform pem -in infile -out outfile

pem to der:
./openssl x509 -inform pem -outform der -in infile -out outfile

(actually pem is the default for inform and outform)

This might be important later when you try to use the certificate,
as the server software may demand a different form than you have...

--

Charles B. (Ben) Cranston
mailto:
http://www.wam.umd.edu/~zben

Home > CentOS > CentOS 6.x > Security tools > openssl

Creating self-signed pem certificates for HTTPS

We can create self-signed pem ceritifcates using openssl for HTTPS, SMTPS, etc. using:

openssl req -x509 -nodes -days 9999 -newkey rsa:1024 -keyout mycert.pem -out mycert.pem

The life of certificate is set to 9999 so that it never expires.

The above command leads to various prompts. If prompts are not desired use format:

openssl req -new -newkey rsa:2048 -days 9999 -nodes -x509 -subj '/C=IN/ST=Telangana/L=Hyderabad/O=Rekall Software/CN=myserver.example.com' -keyout mycert.pem  -out mycert.pem

For information on getting certificates signed by CA use Getting certificates signed by recognized CA

Creating certificate request with OpenSSL

To create certificate request with OpenSSL we can use:

openssl genrsa -des3 -out client1.key 2048
openssl req -new -key client1.key -days 365 -out client1.csr

Remember the password supplied while generating key, as that password would be asked whenever we try to generate a new request with the key. Challenge password asked at the end when we create a new certificate request can be left blank.

If we use password protected key then it will lead to asking of password whenever we start service. For example if the password protected key is configured in apache web server then while starting web server we have to input the passphrase. This is specially problematic if system is configured to start apache automatically on boot for unattended systems (VMs etc.)

After creating initial key and CSR, we can remove the password from key, if not required via:

openssl rsa -in client1.key -out client1-without-passowrd.key

Refer:

• https://futurestud.io/tutorials/how-to-remove-pem-password-from-ssl-certificate

Checking whether a given certificate and key pair match

To check whether a given key and certificate pair match one can use:

openssl rsa -noout -modulus -in <key-file> | openssl md5
openssl x509 -noout -modulus -in <certificate-file> | openssl md5

If both the commands result into exactly same output then the certificate and key pair match, otherwise there is a problem. Note that as per http://stackoverflow.com/questions/4658484/ssl-install-problem-key-value-mismatch-but-they-do-match just matching of modulus is not enough. Not sure if it is really so or not.

Download server certificate directly from server

To download SSL/TLS certificate from any server use:

  openssl s_client -connect {HOSTNAME}:{PORT} -showcerts

The certificate would be between BEGIN_CERTIFICATE and END_CERTIFICATE line

In case of a normal port with STARTTLS use something similar to:

   openssl s_client -starttls smtp -connect {HOSTNAME}:{PORT} -showcerts

Apart from smtp we can use imap, pop3, ftp or xmpp at the time of this writing.

Learned from http://superuser.com/questions/97201/how-to-save-a-remote-server-ssl-certificate-locally-as-a-file

Converting certificates from one format to another

We can use openssl to convert from one certificate type to another. There are following types of certificates:

Convert PEM to DER

openssl x509 -outform der -in certificate.pem -out certificate.der

Convert PEM to P7B

 openssl crl2pkcs7 -nocrl -certfile certificate.cer -out certificate.p7b -certfile CACert.cer

Convert PEM to PFX

openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt

Convert DER to PEM

openssl x509 -inform der -in certificate.cer -out certificate.pem

Convert P7B to PEM

openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer

Convert P7B to PFX

openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer
openssl pkcs12 -export -in certificate.cer -inkey privateKey.key -out certificate.pfx -certfile CACert.cer

Convert PFX to PEM

openssl pkcs12 -in certificate.pfx -out certificate.cer -nodes

Refer:

• https://support.ssl.com/index.php?/Knowledgebase/Article/View/19
• https://www.sslshopper.com/ssl-converter.html

Viewing certificates

View PEM encoded certificate

To view encoded certificate use:

openssl x509 -in cert.pem -text -noout
openssl x509 -in cert.cer -text -noout
openssl x509 -in cert.crt -text -noout

If you get following error:

unable to load certificate
12626:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:647:Expecting: TRUSTED CERTIFICATE

then that indicates that you are trying to open DER encoded certificate.

View DER encoded certificate

openssl x509 -in certificate.der -inform der -text -noout

If you get following error:

unable to load certificate
13978:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1306:
13978:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:380:Type=X509

then that indicates that you are trying to open PEM encoded certificate.

View details of Certificate Signing Request (CSR) file

To see details of CSR file use:

openssl req -noout -text -in <csr-file-name>

Refer:

• https://www.tech-recipes.com/rx/447/view-the-details-of-a-certificate-signing-request-with-openssl/

Create certificate chain

In case of pem based chains we can create the chain via:

cat <pem-encoded-key> <pem-encoded-crt> <pem-encoded-ca-bundle> > combined-ca-bundle.pem

For example:

cat client1-without-password.key client1.crt ca-bundle.pem > combined-ca-bundle.pem

Note that the private key comes first and then the pem encoded certificate. Finally we have the pem encoded CA bundle. Validate the created file via:

openssl crl2pkcs7 -nocrl -certfile combined-ca-bundle.pem | openssl pkcs7 -print_certs -noout

In the output you must see:

• The first subject should be CN of the server and some Issuer name
• Issuer for first certificate should be same as subject of next certificate and so on.
• The last certificate subject and Issuer would be same (Root CA)

Validate certificate chain

Ideally certificate is signed by CA or by an intermediatory. In chain file we should have our certificate, then intermediary and then finally root CA.

To validate certificate chain with only CA and certificate use:

openssl verify -CAfile <ca.pem> <cert.pem>

To validate certificate chain with CA, intermediate and certificate use:

openssl verify -CAfile <ca.pem> -untrusted <intermediate.cert.pem>  <cert.pem>

If the entire chain is in a single pem file then validate using:

openssl crl2pkcs7 -nocrl -certfile <chain.pem> | openssl pkcs7 -print_certs -noout

The above should output first server certificate details, then intermediary (if present) and finally root issuer certificate.

Refer:

• https://medium.com/@superseb/get-your-certificate-chain-right-4b117a9c0fce

Home > CentOS > CentOS 6.x > Security tools > openssl

How do I fix not trusted certificate?

What is pem format for certificate?

What are .CRT files?

How do I get a local issuer certificate?