138

I have a .key file which is PEM formatted private key file. I didn't make this file but I got this from somewhere.

I wanted to see its MD5 hash with openssl tool like below command.

openssl rsa -in server.key -modulus -noout

But this generates below error.

unable to load Private Key
13440:error:0906D06C:PEM routines:PEM_read_bio:no start line:.\crypto\pem\pem_lib.c:648:Expecting: ANY PRIVATE KEY

Here's some asn1parse of the .key file.

openssl asn1parse -in server.key
0:d=0  hl=4 l= 603 cons: SEQUENCE
4:d=1  hl=2 l=   1 prim: INTEGER           :00
7:d=1  hl=3 l= 129 prim: INTEGER           :C141201603899993919CBAA56985E9C7
C6A2AF713A02F5FE88D38CEFBED9304599689280B84B0AB577A9719CA20DDA1246A894AF397A2C57
EE5A582B036CC367E3667454DCD82DBDBF187C35FE39F61C71B517DDDF576F5471B4EC2E045E0F9D
619F5616C4E832F00CBD0DBF41B4BA3CBC4B4B603AE1FE61965917DA732E0DEF
139:d=1  hl=2 l=   3 prim: INTEGER           :010001
144:d=1  hl=3 l= 128 prim: INTEGER           :1687B9AE67562CEDEBDD7A531B84CDB7
093CE138519B93C34B7F626076FF0A262B16EA71904ACB6251A39307C04ADE202055BA13DD9F1539
6123EE408183361A9BC08B9413FA360EA928E48CC3F52B33ACF2980758F02BA2139F652F30A257C2
2E45D7C25835FC4D22B9ECECC12AB632318D4F47E1EBDAD9781B96BCFF03A2D1

 ...

Is there anything more I can try?

jww
  • 97,681
  • 90
  • 411
  • 885
tkpl
  • 2,279
  • 2
  • 16
  • 8
  • 2
    What is the exact header/footer of the PEM file? You can get this error if you are sending in a public key. Also, the command you listed will not give the MD5 hash. It will give the modulus of the key. – gtrig Aug 27 '13 at 21:29
  • I had used `scp` to copy the file from Windows to Ubuntu. To fix it, I deleted the file on Ubuntu, created a new empty file there, and used `vim` and then pasted in the correct contents. – Ryan Nov 03 '19 at 01:47
  • Try using the -pubin flag, perhaps you need to specify you're passing a public key, refer to this post: https://stackoverflow.com/a/76263465/9133569 – M.Ed May 16 '23 at 13:17

15 Answers15

130

Open the key file in Notepad++ and verify the encoding. If it says UTF-8-BOM then change it to UTF-8. Save the file and try again.

On linux, open in vim and

:set nobomb

reference: How can I remove the BOM from a UTF-8 file?

northben
  • 5,448
  • 4
  • 35
  • 47
Robert L.
  • 1,469
  • 1
  • 11
  • 10
  • 6
    What if I'm using a mac? – Ernest Zamelczyk Sep 20 '19 at 10:17
  • 15
    Use Visual Studio Code - you can easily change the encoding using the bottom toolbar! – Luca Ghersi Jan 21 '20 at 17:25
  • 4
    Oh my good God! THANK YOU! I would've never figured that out by trial and error, fixed the issue for me! – Mikael Dyreborg Hansen Apr 15 '20 at 12:48
  • 1
    This was it for me. Thanks! – Freeman Helmuth Jun 11 '20 at 13:43
  • 20
    GoDaddy produces private keys "generated-private-key.txt" prefixed with a BOM, which causes this problem. At least on a Mac, dumping the key text with cat did not display the BOM but looking at it with less did. I used BBEdit to remove the BOM, but any that can change the format or chop off the first four bytes will work. – Seth Noble Aug 27 '20 at 15:04
  • 2
    Thanks so much. This answered the question. Thanks to @SethNoble for the godaddy comment that i'm sure helped my keyword search results. I'm using WSL on Win10 and using *cat* I could see the square symbol telling me something was there. Using vi to try to edit and retype the first character didn't help, but using Notepad++ to select utf-8 did fix it. I'm sure there's something I can do in vi to do this natively in WSL. – Joshua K Feb 28 '21 at 23:53
  • worked!! u r the BOM! – sarora May 07 '23 at 17:18
  • Yup. GoDaddy led me here. Thanks all. – Justin Fortier Jun 29 '23 at 21:13
77

I changed the header and footer of the PEM file to 

-----BEGIN RSA PRIVATE KEY-----

and

-----END RSA PRIVATE KEY-----

Finally, it works!

cbuchart
  • 10,847
  • 9
  • 53
  • 93
tkpl
  • 2,279
  • 2
  • 16
  • 8
  • 1
    You can also add `-inform pem` to the command to get the same result. E.g. `openssl rsa -in server.key -modulus -noout -inform pem`. – Simon Woodside Dec 22 '18 at 04:13
  • 1
    Check https://stackoverflow.com/questions/54994641/openssh-private-key-to-rsa-private-key if it solves your problem – qstack Jan 18 '20 at 00:41
  • Something is already working correctly with the "bad" format (i.e. unchanged headers), so, this is a makeshift solution, bound to break something that was already working fine, like, a reverse proxy that is not crashing for the lack of those manually-edited headers and footers. Yipes! – alejandrob Jan 30 '20 at 02:26
  • The solution above worked good – nisamudeen97 May 11 '21 at 16:41
  • I was generating my keys in code and putting the -----BEGIN ENCRYPTED PRIVATE KEY----- header in them, which gave me the unable to read error with openssl. Changing it as you suggested to RSA PRIVATE KEY fixed it for me. – Eurospoofer Nov 23 '21 at 20:45
54

Your .key file contains illegal characters. You can check .key file like this:

# file server.key

output "server.key: UTF-8 Unicode (with BOM) text" means it is a plain text, not a key file. The correct output should be "server.key: PEM RSA private key".

Use below command to remove illegal characters:

# tail -c +4 server.key > new_server.key

The new_server.key should be correct.

For more detail, you can click here

Zoe
  • 27,060
  • 21
  • 118
  • 148
fsarter
  • 902
  • 7
  • 10
11

Create CA certificate

openssl genrsa -out privateKey.pem 4096
openssl req -new -x509 -nodes -days 3600 -key privateKey.pem -out caKey.pem
ephemerr
  • 1,833
  • 19
  • 22
Pravind Kumar
  • 809
  • 1
  • 11
  • 10
7
> I have a .key file which is PEM formatted private key file.
> ...
> Here's some asn1parse of the .key file...

That it appears OK with asn1parse leads me to believe its not PEM encoded.

Is there anything more I can try?

Because it appears to be ASN.1, try:

$ openssl rsa -in server.key -inform DER -modulus -noout

Notice the -inform DER to switch between encodings.

jww
  • 97,681
  • 90
  • 411
  • 885
7

Resolution on my side. Change Encoding to UTF8 without BOM

Kosmo Para
  • 71
  • 1
  • 1
4

Remove any whitespace at the start of the .key file.

johnnycardy
  • 3,049
  • 1
  • 17
  • 27
3

I'm on Windows 10 and I saved my key with Windows1252 encoding and it worked for me. On another Stack Overflow question some people were fixing this with UTF-8 with BOM.

In other words, it may be the file encoding.

Zoe
  • 27,060
  • 21
  • 118
  • 148
Rafael Z. B. Bravo
  • 1,022
  • 10
  • 23
2

If your certificate is from godaddy you just need to change the encoding from UTF-8 (BOM) to UTF 8 and rename the file as private.key.

Zoe
  • 27,060
  • 21
  • 118
  • 148
Muhammad Suleman
  • 51
  • 1
1

May be the private key itself is not present in the file.I was also faced the same issue but the problem is that there is no private key present in the file.

Dhruvil Shah
  • 376
  • 2
  • 8
1

In our case what caused the issue is that the private key we were trying to use was encrypted with a passphrase.

We had to decrypt the private key using ssh-keygen -p before we could use the private key with the openssl command line tool.

Paul Dejean
  • 3,458
  • 1
  • 9
  • 15
1

I received RTF files for private and public keys for SSL certificate HTTPCS. the way which works for me to make .pfx with password is: convert rtf private key file(privateKey.rtf) (with free online converter) to plain text format: privateKey.txt (don't copy/paste text from -----BEGIN PRIVATE KEY----- to -----END PRIVATE KEY----- to a new text file, it doesn't work) open converted plain text file in Nodepad++ and change encoding to UTF-8 instead of UTF-8 BOM and change extension to .key. Save it run Openssl console in certificate folder:

pkcs12 -export -out C:\Users\user\Documents\CertFolder\Cert.pfx -inkey C:\Users\user\Documents\CertFolder\privateKey.key -in C:\Users\user\Documents\CertFolder\certificate.crt

openssl will ask password, create your own password for your certificate and then you have your .pfx to be use in IIS setting, SOAPUI, MMC,.. Good luck

sezanzeb
  • 816
  • 8
  • 20
Poncin André
  • 11
  • 1
0

This could happen if you are trying to use your public key to create certificate instead of your private key. You should use private key

Zoe
  • 27,060
  • 21
  • 118
  • 148
aris
  • 409
  • 6
  • 8
-1

Had same issue today, and noticed that this occurs when owner/group of file is not the one running app that reads key. Maybe is your issue too.

Ionut Stoica
  • 1
  • 1
-2

None of the other answers seemed correct in my case, however I found the real answer here

My id_rsa file was already in PEM format, I just needed to add the .pem extension to the filename.

Thanks to

The possible options to the openssl rsa -inform parameter are one of: PEM DER

A PEM encoded file is a plain-text encoding that looks something like:

-----BEGIN RSA PRIVATE KEY-----
MIGrAgEAAiEA0tlSKz5Iauj6ud3helAf5GguXeLUeFFTgHrpC3b2O20CAwEAAQIh
ALeEtAIzebCkC+bO+rwNFVORb0bA9xN2n5dyTw/Ba285AhEA9FFDtx4VAxMVB2GU
QfJ/2wIRANzuXKda/nRXIyRw1ArE2FcCECYhGKRXeYgFTl7ch7rTEckCEQDTMShw
8pL7M7DsTM7l3HXRAhAhIMYKQawc+Y7MNE4kQWYe
-----END RSA PRIVATE KEY-----

While DER is a binary encoding format.

gregn3
  • 1,728
  • 2
  • 19
  • 27