I have been struggling for the last three hours trying to create an . pfx file using OpenSSL . I have been following this document and have been following the instructions under the Get a certificate using OpenSSL header. I am at the step here: openssl pkcs12 -export -out myserver.pfx -inkey myserver.key -in myserver.crt and am using the OpenSSL.exe console. I get the error: unable to load certificates I have also tried this: x509 -text -in myserver.key and received the error: 0906D06D06C:PEM_read_bio:no start line:.\crypto\pem\pem_lib.b.c:703:Expecting: TRUSTED CERTIFICATE I also get that error if I try myserver.crt. I seem to get it no matter what I do. Can someone please help?
asked Mar 25, 2014 at 21:22 4,542 10 10 gold badges 49 49 silver badges 72 72 bronze badgesThanks. I wish someone had told my boss at the time that it wasn't a programming or development topic and then I wouldn't have had all that pain ;)
Commented May 16, 2017 at 16:29I get the error: unable to load certificates
myserver.crt needs to be in PEM format. Does it have ----- BEGIN CERTIFICATE ----- and ----- END CERTIFICATE ----- ?
myserver.crt should actually be a chain of certificates (and not just the one server certificate). The chain should include all intermediate certificates needed by the client to verify the chain.
You send all the intermediate certificates to solve the "which directory" problem. The "which directory" is a well know problem in PKI. Essentially, the client does not know where to go to fetch the missing intermediate cert. To avoid the problem, you send all intermediates.
I often use Startcom because they offer free Class 1 certificates. When I get the signed server certificate from them (for example, www-example-com.crt), I add their Class 1 Server Intermediate to it. I get their Class 1 Server Intermediate from their website at Startcom CA certs. The one I use is sub.class1.server.ca.pem .
With the www-example-com.crt , my server certificate looks like:
$ cat www-example-com.crt -----BEGIN CERTIFICATE----- < My Server Certificate >-----END CERTIFICATE----- -----BEGIN CERTIFICATE----- < Startcom Intermediate >-----END CERTIFICATE-----
For completeness, the private key (for example, www-example-com.key ) is also in PEM format. It uses -----BEGIN RSA PRIVATE KEY----- and -----END RSA PRIVATE KEY----- .
With my server certificate in PEM format (and with the required intermediates) and private key, I then issue the following (which looks like the same command you are using):
openssl pkcs12 -export -in www-example-com.crt -inkey www-example-com.key -out www-example-com.p12
When clients connect, they use the Startcom CA. So, to test the connection (after loading into IIS):
openssl s_client -connect www.example.com:443 -CAfile startcom-ca.pem
The command should complete with "Verify OK":
SSL-Session: Protocol : TLSv1 Cipher : DHE-RSA-AES256-SHA Session-ID: 37E5AF0EE1745AB2. Session-ID-ctx: Master-Key: 7B9F8A79D3CC3A41. Key-Arg : None Start Time: 1243051912 Timeout : 300 (sec) Verify return code: 0 (ok)
I have also tried this: x509 -text -in myserver.key and received the error.
x509 is for certificates. If you want to dump a key, use OpenSSL's pkey command. See the docs on OpenSSL's pkey(1) command.