Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

help needed! error trying to verify a certificate

4,446 views
Skip to first unread message

Mitchel, Jennifer (Jem)

unread,
Nov 14, 2002, 4:18:21 AM11/14/02
to
Hi all,

I am running OpenSSL 0.9.6g
I have generated my key pair. I have generated my certificate signing request sent it to my CA and gotten my certificate back... I named it server.crt

I am trying to use ssl to verify the certificate. I have the key pair, csr & server.crt all in <install>/bin so no other path is needed to the files.

I am typing the command: ./openssl x509 -noout -text -in server.crt

and I am getting the error:

unable to load certificate
19713:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:663:Expecting: TRUSTED CERTIFICATE

Can someone tell me what it is I'm missing. I keep reading through documentation seeing things about thumbprints, and symbolic links called hash.0 using x509 to get your hash.... but I really am lost and don't know where to go to proceed.

I really appreciate any guidance.... afterall I don't just want this to work... I want to know why so I could it again if ever needed & know why I'm doing each step.

Thanks,
Jem
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openss...@openssl.org
Automated List Manager majo...@openssl.org

Richard Levitte - VMS Whacker

unread,
Nov 14, 2002, 4:28:18 AM11/14/02
to
In message <B2FB6044E0DF474E8CE4...@il0015exch006u.ih.lucent.com> on Wed, 13 Nov 2002 16:10:07 -0600, "Mitchel, Jennifer (Jem)" <mitc...@lucent.com> said:

mitchelj> I am typing the command: ./openssl x509 -noout -text -in server.crt
mitchelj>
mitchelj> and I am getting the error:
mitchelj>
mitchelj> unable to load certificate
mitchelj> 19713:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:663:Expecting: TRUSTED CERTIFICATE

OpenSSL expects PEM (ASCII) format by default. server.crt is probably
in raw DER form, so you need to use the following command:

./openssl x509 -noout -text -in server.crt -inform d

--
Richard Levitte \ Spannvägen 38, II \ LeV...@stacken.kth.se
Redakteur@Stacken \ S-168 35 BROMMA \ T: +46-8-26 52 47
\ SWEDEN \ or +46-708-26 53 44
Procurator Odiosus Ex Infernis -- po...@bofh.se
Member of the OpenSSL development team: http://www.openssl.org/

Unsolicited commercial email is subject to an archival fee of $400.
See <http://www.stacken.kth.se/~levitte/mail/> for more info.

Mitchel, Jennifer (Jem)

unread,
Nov 14, 2002, 8:22:32 AM11/14/02
to

Yes that was it. I was literally mailed ascii text that had to be saved to the server.crt file so I thought it was in PEM format, but apparently it's not. I successfully verified my certificate which was all I needed to do. Thanks!

Charles B Cranston

unread,
Nov 14, 2002, 10:44:54 AM11/14/02
to
"Mitchel, Jennifer (Jem)" wrote:
> I have generated my key pair. I have generated my certificate
> signing request sent it to my CA and gotten my certificate back...
> I named it server.crt
> I am trying to use ssl to verify the certificate. I have the key pair,
> csr & server.crt all in <install>/bin so no other path is needed to the files.
> I am typing the command: ./openssl x509 -noout -text -in server.crt
> and I am getting the error:
> unable to load certificate

> 19713:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:663:Expecting: TRUSTED CERTIFICATE
> Can someone tell me what it is I'm missing.

It might not be this simple, but could you check to see that the
certificate file is readable and has the appropriate "start line"
(which is what the code is complaining about)? A certificate in
PEM format looks like this:

-----BEGIN CERTIFICATE-----
MIIDjjCCAvegAwIBAgIDAKqqMA0GCSqGSIb3DQEBBAUAMIGKMQswCQYDVQQGEwJV
UzERMA8GA1UECBMITWFyeWxhbmQxGTAXBgNVBAoTEFVNQ1AvT0lUL1RTUy9FSVMx
MDAuBgNVBAMTJ1VNQ1AvT0lUL1RTUy9FSVMgU2VsZlNpZ25lZCBDQSAoY2VydCBB
KTEbMBkGCSqGSIb3DQEJARYMemJlbkB1bWQuZWR1MB4XDTAyMDIyMTE4MjYxM1oX
DTA3MDIyMDE4MjYxM1owgYwxCzAJBgNVBAYTAlVTMREwDwYDVQQIEwhNYXJ5bGFu
ZDEZMBcGA1UEChMQVU1DUC9PSVQvVFNTL0VJUzEyMDAGA1UEAxMpVU1DUC9PSVQv
VFNTL0VJUyBJbnRlcm1lZGlhdGUgQ0EgKGNlcnQgQikxGzAZBgkqhkiG9w0BCQEW
DHpiZW5AdW1kLmVkdTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAy1aSf+oR
KjdW4GuofJrnuRDwcGRmJ66uEZLwlvngQJpKvKMtirooG9JwRgH/MiQYzNZytj2C
yCfwNbUpVB+hkf3ow82xJAk+qotM6+GGfsa5o2GPF2CyzkCi81jA9p/P9Zlmjx/2
04c2J68s5MC5PvGUyzHZN9Cz4Wmw3HwVzakCAwEAAaOB/TCB+jAdBgNVHQ4EFgQU
I8XlxJOCRIGw/kvMKhvOPqr6TRIwgbcGA1UdIwSBrzCBrIAUmi04P8/gAUxR7/Hc
OTlGa2rXu0ehgZCkgY0wgYoxCzAJBgNVBAYTAlVTMREwDwYDVQQIEwhNYXJ5bGFu
ZDEZMBcGA1UEChMQVU1DUC9PSVQvVFNTL0VJUzEwMC4GA1UEAxMnVU1DUC9PSVQv
VFNTL0VJUyBTZWxmU2lnbmVkIENBIChjZXJ0IEEpMRswGQYJKoZIhvcNAQkBFgx6
YmVuQHVtZC5lZHWCAQAwDAYDVR0TBAUwAwEB/zARBglghkgBhvhCAQEEBAMCAgQw
DQYJKoZIhvcNAQEEBQADgYEAEipQP8YEZOZdWuZXhvleKlscEXrSbLs9qzdfxMTB
0uulvLBba+QwaTUyTmbeCgTD3Rjib12o0VX8jEJospiMnZmPaj/4fy3rULTFhvBY
Kl309wj7a2lfbJF/6ip5xr1pHgPEGFAZbSGygOibuuHsIeb3HA0YWa6H3UJlFVuU
n8A=
-----END CERTIFICATE-----

If the certificate is a jumble of binary data try adding -inform der
in case the cert is in der format:

./openssl x509 -noout -text -inform der -in server.crt

It is easy to translate between the two formats using much the
same command:

der to pem:
./openssl x509 -inform der -outform pem -in infile -out outfile

pem to der:
./openssl x509 -inform pem -outform der -in infile -out outfile

(actually pem is the default for inform and outform)

This might be important later when you try to use the certificate,
as the server software may demand a different form than you have...

--

Charles B. (Ben) Cranston
mailto:zb...@umd.edu
http://www.wam.umd.edu/~zben

0 new messages