-1

Trying to convert .pem file to .der file using below command.

openssl x509 -in public_key.pem -out cert.der -outform DER

getting below error

unable to load certificate
31833:error:0906D06C:PEM routines:PEM_read_bio:no start line:/SourceCache/OpenSS
L098/OpenSSL098-52.30.1/src/crypto/pem/pem_lib.c:648:Expecting: TRUSTED CERTIFIC
ATE

I have generated RSA private/public keys using below.

openssl genrsa -out private_key.pem 2048
openssl rsa -pubout -in private_key.pem -out public_key.pem
jww
  • 97,681
  • 90
  • 411
  • 885
dReAmEr
  • 6,986
  • 7
  • 36
  • 63
  • You have generated an RSA key pair, not a certificate. Each certificate contains a public key, and you can create a certificate using an RSA key... – Robert Oct 14 '16 at 15:01
  • @Robert Can you please guide,how to do this? – dReAmEr Oct 14 '16 at 15:13
  • You probably need a certificate, as per the answer and dupe. But if you actually want a file with ONLY the publickey, which in practice is usable only with OpenSSL and some Java programs (those handling the key explicitly using `X509EncodedKeySpec`), do `openssl {rsa,pkey} -pubin -in public.pem -out public.der -outform der` or just do `openssl {rsa,pkey} -in private.pem -pubout -out public.der -outform der` in the first place. – dave_thompson_085 Oct 14 '16 at 22:26

1 Answers1

0

You are creating a RSA key pair. And you are trying to convert the public key into DER format.

openssl x509 command requires public key inside the X.509 container.

Try this command to create the Private Key and Public Cert.

  1. Create a self signed CA Cert:

    openssl genrsa  -out CAkey.pem 2048

    openssl req -new -x509 -key CAkey.pem -out cacert.pem -days 1095

  2. Now create another cert which is signed by the CA created above

    openssl genrsa -out serverkey.pem 2048

    openssl req -new -key serverkey.pem -out server.csr

    openssl x509 -req -days 1000 -in server.csr -CA cacert.pem -CAkey CAkey.pem -out server.pem -set_serial 01

Later convert the public cert in PEM to DER format.

openssl x509 -in server.pem -out server.der -outform DER
Prabhu
  • 3,443
  • 15
  • 26
  • The certificate likely will *not* be well formed if the only thing you are doing is shown above. – jww Oct 14 '16 at 21:09
  • @jww, I have edited the answer adding more relevance. I would like to understand your comment. Can you please elaborate why certificate may not be well formed? – Prabhu Oct 15 '16 at 02:32