43

I have 2 files - CSR.csr and newkey.key, both seem to be in PEM format as follows -

-----BEGIN CERTIFICATE REQUEST-----

MIID....

-----END CERTIFICATE REQUEST-----

-----BEGIN RSA PRIVATE KEY-----

MI...

-----END RSA PRIVATE KEY-----

When I'm trying to read the CSR.csr file, I get the following error :

$ openssl x509 -in CSR.csr -text -noout
unable to load certificate
140518720210760:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:698:Expecting: TRUSTED CERTIFICATE

I read that we get this error when the input file is in DER format, so I tried the following -

$ openssl x509 -inform DER -in CSR.csr -text -noout

but now I get the error -

unable to load certificate
140519053051720:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1320:
140519053051720:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:382:Type=X509

And it seems this error occurs when the input file is already in PEM format and one tries to read it in DER format.

Really confused how to go about it as I'm new to SSL. Please help!

hkutluay
  • 6,794
  • 2
  • 33
  • 53
Kat.S
  • 587
  • 2
  • 7
  • 13
  • Stack Overflow is a site for programming and development questions. This question appears to be off-topic because it is not about programming or development. See [What topics can I ask about here](http://stackoverflow.com/help/on-topic) in the Help Center. Perhaps [Super User](http://superuser.com/) or [Unix & Linux Stack Exchange](http://unix.stackexchange.com/) would be a better place to ask. Also see [Where do I post questions about Dev Ops?](http://meta.stackexchange.com/q/134306) – jww Feb 08 '17 at 17:06

3 Answers3

42

In my case I was trying to read my cer file and was receiving the error stated above

openssl x509 -in CSR.csr -text -noout unable to load certificate 140518720210760:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:698:Expecting: TRUSTED CERTIFICATE

I had to convert it to a crt file using openssl. 

openssl x509 -inform DER -in <certname>.cer -out <certname>.crt
openssl x509 -in <certname>.crt -text

Here's the doc i used. I was able to read it using openssl after that

Norbert
  • 809
  • 9
  • 13
  • 1
    I also had similar situation and then *still* had a problem when some tool or another included a blank line before some of the non-content markers (like the hyphens lines). Just removing the blank lines solved that problem. – Justin Dec 09 '20 at 19:50
32

The problem is not PEM vs. DER but that you are using a certificate request in a place where a certificate is expected. This is clearly shown by the PEM header -----BEGIN CERTIFICATE REQUEST-----.

To show the content of a certificate request use 

openssl req -in CSR.csr -text

To show the content of a certificate use

openssl x509 -in CERT.crt -text
aldoWan
  • 93
  • 1
  • 6
Steffen Ullrich
  • 114,247
  • 10
  • 131
  • 172
0

This ERROR also happens on certificates that are not "certificate request" emmited to be signed by a CA (non-CSR certificate) but which are x509 regular certificates from Windows PKI in ".cer" format

In this case, following "Norbert" answer is the good way to solve the problem, converting the certificate in ".crt'

After the file is able to be dumped using:

openssl x509 -in YOURCERT.crt -noout -text

or

openssl x509 -in YOURCERT.crt -text
nbanba
  • 51
  • 4