Can't get private key with openssl (no start line:pem_lib.c:703:Expecting: ANY PRIVATE KEY)

问题:

I have a .key file, when I do

openssl rsa -text -in file.key

I get

unable to load Private Key 140000419358368:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:703:Expecting: ANY PRIVATE KEY 

---

Also I have a .cer file and when I do

openssl x509 -text -in file.cer

I get

unable to load certificate 140387178489504:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:703:Expecting: TRUSTED CERTIFICATE 

---

But if as pointed here I run the command like:

openssl x509 -text -inform DER -in file.cer

I get

Certificate:     Data:         Version: 3 (0x2)         Some more information         ... -----BEGIN CERTIFICATE----- MIIEdDCCA1ygAwIBAgIUMjAwMDEwMDAwMDAxMDAwMDU4NjcwDQYJKoZIhvcNAQEF ... -----END CERTIFICATE----- 

But that doesn't seem to work with the key, because when I run

openssl rsa -text -inform DER -in aaa010101aaa__csd_10.key

I get

unable to load Private Key 140004844304032:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1337: 140004844304032:error:0D06C03A:asn1 encoding routines:ASN1_D2I_EX_PRIMITIVE:nested asn1 error:tasn_dec.c:849: 140004844304032:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:769:Field=version, Type=RSA 140004844304032:error:04093004:rsa routines:OLD_RSA_PRIV_DECODE:RSA lib:rsa_ameth.c:115: 140004844304032:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1337: 140004844304032:error:0D06C03A:asn1 encoding routines:ASN1_D2I_EX_PRIMITIVE:nested asn1 error:tasn_dec.c:849: 140004844304032:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:769:Field=version, Type=PKCS8_PRIV_KEY_INFO 

How can I get the private key and its certificate?

回答1:

It looks like you have a certificate in DER format instead of PEM. This is why it works correctly when you provide the -inform PEM command line argument (which tells openssl what input format to expect).

It's likely that your private key is using the same encoding. It looks as if the openssl rsa command also accepts a -inform argument, so try:

openssl rsa -text -in file.key -inform DER 

A PEM encoded file is a plain-text encoding that looks something like:

-----BEGIN RSA PRIVATE KEY----- MIGrAgEAAiEA0tlSKz5Iauj6ud3helAf5GguXeLUeFFTgHrpC3b2O20CAwEAAQIh ALeEtAIzebCkC+bO+rwNFVORb0bA9xN2n5dyTw/Ba285AhEA9FFDtx4VAxMVB2GU QfJ/2wIRANzuXKda/nRXIyRw1ArE2FcCECYhGKRXeYgFTl7ch7rTEckCEQDTMShw 8pL7M7DsTM7l3HXRAhAhIMYKQawc+Y7MNE4kQWYe -----END RSA PRIVATE KEY----- 

While DER is a binary encoding format.

Update

Sometimes keys are distributed in PKCS#8 format (which can be either PEM or DER encoded). Try this and see what you get:

openssl pkcs8 -in file.key -inform der 

回答2:

My two cents: came across the same error message in RHEL7.3 while running the openssl command with root CA certificate. The reason being, while downloading the certificate from AD server, Encoding was selected as DER instead of Base64. Once the proper version of encoding was selected for the new certificate download, error was resolved

Hope this helps for new users :-)

文章来源: Can't get private key with openssl (no start line:pem_lib.c:703:Expecting: ANY PRIVATE KEY)