Unable to load certificates when trying to generate pfx file


I have been struggling for the last three hours trying to create an .pfx file using OpenSSL. I have been following this document and have been following the instructions under the Get a certificate using OpenSSL header.

I am at the step here: openssl pkcs12 -export -out myserver.pfx -inkey myserver.key -in myserver.crt and am using the OpenSSL.exe console.

I get the error: unable to load certificates

I have also tried this: x509 -text -in myserver.key and received the error: 0906D06D06C:PEM_read_bio:no start line:.\crypto\pem\pem_lib.b.c:703:Expecting: TRUSTED CERTIFICATE I also get that error if I try myserver.crt.

I seem to get it no matter what I do.

Can someone please help?


Answers:


I get the error: unable to load certificates

myserver.crt needs to be in PEM format. Does it have ----- BEGIN CERTIFICATE ----- and ----- END CERTIFICATE -----?


myserver.crt should actually be a chain of certificates (and not just the one server certificate). The chain should include all intermediate certificates needed by the client to verify the chain.

You send all the intermediate certificates to solve the "which directory" problem. The "which directory" is a well know problem in PKI. Essentially, the client does not know where to go to fetch the missing intermediate cert. To avoid the problem, you send all intermediates.

I often use Startcom because they offer free Class 1 certificates. When I get the signed server certificate from them (for example, www-example-com.crt), I add their Class 1 Server Intermediate to it. I get their Class 1 Server Intermediate from their website at Startcom CA certs. The one I use is sub.class1.server.ca.pem.

With the www-example-com.crt, my server certificate looks like:

$ cat www-example-com.crt

-----BEGIN CERTIFICATE-----
< My Server Certificate >
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
< Startcom Intermediate >
-----END CERTIFICATE-----

For completeness, the private key (for example, www-example-com.key) is also in PEM format. It uses -----BEGIN RSA PRIVATE KEY----- and -----END RSA PRIVATE KEY-----.

With my server certificate in PEM format (and with the required intermediates) and private key, I then issue the following (which looks like the same command you are using):

openssl pkcs12 -export -in www-example-com.crt -inkey www-example-com.key -out www-example-com.p12

When clients connect, they use the Startcom CA. So, to test the connection (after loading into IIS):

openssl s_client -connect www.example.com:443 -CAfile startcom-ca.pem

The command should complete with "Verify OK":

SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: 37E5AF0EE1745AB2...
    Session-ID-ctx:
    Master-Key: 7B9F8A79D3CC3A41...
    Key-Arg   : None
    Start Time: 1243051912
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)

I have also tried this: x509 -text -in myserver.key and received the error...

x509 is for certificates. If you want to dump a key, use OpenSSL's pkey command. See the docs on OpenSSL's pkey(1) command.