OpenSSL Convert PEM to PFX using RSA PRIVATE Key

rsa openssl ppk

I am attempting to use OpenSSL to Convert a PEM File and RSA Private Key to a PFX file. Here is the example command I attempted to use:

openssl pkcs12 -export -out cert.pfx -inkey key.pem -in cert.pem

In doing so, I receive the following error message:

unable to load private key
9068:error:0906D06C:PEM routines:PEM_read_bio:no start 
line:pem_lib.c:696:Expecting: ANY PRIVATE KEY

The cert file looks like this:

-----BEGIN CERTIFICATE-----
....
-----END CERTIFICATE-----

and the Private Key looks like this:

-----BEGIN RSA PRIVATE KEY-----
....
-----END RSA PRIVATE KEY-----

I did some digging on the error but I have not found a solution yet.

EDIT

After some additional research it appears to be a problem with different openssl versions.

If I run it on my OSX system which is running 0.9.8zh 14 Jan 2016, these statements work fine.

However, if I run it on a Windows Machine with version OpenSSL 1.0.1p 9 Jul 2015 and OpenSSL 1.1.0g 2 Nov 2017, I get the above errors.


I was also stuck on same. And as @thxmike said. My case was also similar.

OpenSSL command did not worked as expected for this.
openssl pkcs12 -export -in c.cer -inkey c.key -out d.pfx

So I ended up using Certutil on Windows. As we wanted to add it to Azure.

Note:-
1. Make sure to change .crt to .cer.
2. Make sure to put the .cer and .key files into the same folder and with same name - (c.cer and c.key)

Then run:
certutil -MergePFX c.cer c.pfx

You should get your combined pfx file.
Cheers!


After some throughout digging, I found that it was the Powershell scripts that generates the key and cert files.

Using Notepad++ on Windows and Tex-Edit Plus on OSX to identify hidden characters, I found that the files had extra [cr] at the end.

Using the command

openssl rsa -in <private key file> -noout -text
openssl x509 -in <cert file> -noout -text

Are good checks for the validity of the files

Since my source was base64 encoded strings, I ended up using the certutil command on Windows(i.e.)

certutil -f -decode cert.enc cert.pem
certutil -f -decode key.enc cert.key

on windows to generate the files. Once the files were correct, the OpenSSL command above worked as expected.

Related

Method of laptop conditional power management in Windows 11
Synology NAS - add new drive and change RAID type
Even smaller Windows 11 desktop icons
Podcast aggregator downloading old podcasts
Linux Bitlocker equivalent
How much DRAM S0-DIMM DDR4 slot can support?
Autohotkey: I can't get the path of the active file
What is ~/.local folder in Mac OS used for?
USB Keyboard works with dock or switching hub, but not with both
FFmpeg command line options
Communicating with Pure Data in C
Remove a property in an object immutably