1

I created my SSH key accordingly:

ssh-keygen -t rsa -C "myemail@google.com"

This will give me two files:

myKey.key.pub
myKey.key

Then to convert to pem format I run the command:

ssh-keygen -f myKey.key.pub -e -m pem > myKey.pem

The myKey.pem is the file to be provided for the backend C program.

However, I have been stuck with the similar error:

unable to load certificate
140387178489504:error:0906D06C:PEM routines:PEM_read_bio:no start     
line:pem_lib.c:703:Expecting: TRUSTED CERTIFICATE

So, I have followed the steps:

openssl rsa -text -in file.key -inform DER
openssl pkcs8 -in file.key -inform der

I also checked some other comments and suggestions. But the problem still continues:

error:0D0680A8:ASN1 encoding routines:ASN1CHECK_TLEN:wrong tag:tasn_dec.c:1338
error:0D07803A:ASN1 encoding routines:ASN1CHECK_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:390:Type=X509_SIG

This certificate will be used with a back-end. Or the way to get the file pem is to actually create and edit it manually? If so, where the certificate part comes from?

Any suggestions where might be my mistake? All comments are highly welcome :)

Community
  • 1
  • 1
Anna Bjarnhéðinsdóttir
  • 138
  • 1
  • 8
  • 2
    SSH key != SSL certificate. What are you trying to achieve? – Jakuje Oct 29 '16 at 21:19
  • Hi @Jakuje ! I used: I used: ssh-keygen -f myKey.key.pub -e -m pem > myKey.pem . What should then be used as certificate? Thank you very much indeed. – Anna Bjarnhéðinsdóttir Oct 29 '16 at 22:20
  • 1
    To get an SSL/TLS certificate, you use your _private_ key (and in your case and many but not all others an OpenSSH _private_ key file is compatible with OpenSSL) to generate a _Certificate Signing Request_ aka CSR and submit the CSR to a Certificate Authority aka CA to get a certificate. If you want strangers to trust your server you need to use a public CA like Verisign, GoDaddy, LetsEncrypt, etc. If only you or people who know you like friends/coworkers will connect, you can create your own ad-hoc CA with openssl, or even a self-signed cert (no CA). – dave_thompson_085 Oct 29 '16 at 23:26
  • Stack Overflow is a site for programming and development questions. This question appears to be off-topic because it is not about programming or development. See [What topics can I ask about here](http://stackoverflow.com/help/on-topic) in the Help Center. Perhaps [Super User](http://superuser.com/) or [Unix & Linux Stack Exchange](http://unix.stackexchange.com/) would be a better place to ask. Also see [Where do I post questions about Dev Ops?](http://meta.stackexchange.com/q/134306) – jww Oct 30 '16 at 03:35

1 Answers1

2

It could happen when your key is password-protected.

you have to decrypt it

$ openssl rsa -in protected.key -out unprotected.key

Then you have to create a new .pem file

$ cat unprotected.key yourcert.crt > yourcert.pem

I also suggest you to check your key and cert files for line endings (openssl does not like Windows ones) and BOM-mark.

Make sure that your certificate is Windows "compatible", most importantly that it doesn't have ^M in the end of each line

If you open it it will look like this:

-----BEGIN CERTIFICATE-----^M MIIDITCCAoqgAwIBAgIQL9+89q6RUm0PmqPfQDQ+mjANBgkqhkiG9w0BAQUFADBM^M

To solve "this" open it with Write or Notepad++ and have it convert it to Windows "style"

cristallo
  • 1,951
  • 2
  • 25
  • 42
  • Hi Cristallo! Thank you so much for your comment. Please check my updated question. To create the pem file, I used: ssh-keygen -f myKey.key.pub -e -m pem > myKey.pem . Anything still missing? Thanks! – Anna Bjarnhéðinsdóttir Oct 29 '16 at 22:19
  • 1
    OpenSSL is fine with WIndows line endings (CRLF) or indeed traililng whitespace of any kind in PEM. It does have a problem with BOM (often) or UTF-16 (always), but since PEM by design is only ASCII those aren't needed and most Windows programs won't add them unneeded. – dave_thompson_085 Oct 29 '16 at 23:22
  • @dave_thompson_085 . Thanks for your comment. I am on Linux. Not Windows. – Anna Bjarnhéðinsdóttir Oct 29 '16 at 23:58