OpenSSL Convert PEM to PFX using RSA PRIVATE Key
I am attempting to use OpenSSL to Convert a PEM File and RSA Private Key to a PFX file. Here is the example command I attempted to use:
openssl pkcs12 -export -out cert.pfx -inkey key.pem -in cert.pem
In doing so, I receive the following error message:
unable to load private key
9068:error:0906D06C:PEM routines:PEM_read_bio:no start
line:pem_lib.c:696:Expecting: ANY PRIVATE KEY
The cert file looks like this:
-----BEGIN CERTIFICATE-----
....
-----END CERTIFICATE-----
and the Private Key looks like this:
-----BEGIN RSA PRIVATE KEY-----
....
-----END RSA PRIVATE KEY-----
I did some digging on the error but I have not found a solution yet.
EDIT
After some additional research it appears to be a problem with different openssl versions.
If I run it on my OSX system which is running 0.9.8zh 14 Jan 2016, these statements work fine.
However, if I run it on a Windows Machine with version OpenSSL 1.0.1p 9 Jul 2015 and OpenSSL 1.1.0g 2 Nov 2017, I get the above errors.
I was also stuck on same. And as @thxmike said. My case was also similar.
OpenSSL command did not worked as expected for this.openssl pkcs12 -export -in c.cer -inkey c.key -out d.pfx
So I ended up using Certutil on Windows. As we wanted to add it to Azure.
Note:-
1. Make sure to change .crt to .cer.
2. Make sure to put the .cer and .key files into the same folder and with same name - (c.cer and c.key)
Then run:certutil -MergePFX c.cer c.pfx
You should get your combined pfx file.
Cheers!
After some throughout digging, I found that it was the Powershell scripts that generates the key and cert files.
Using Notepad++ on Windows and Tex-Edit Plus on OSX to identify hidden characters, I found that the files had extra [cr] at the end.
Using the command
openssl rsa -in <private key file> -noout -text
openssl x509 -in <cert file> -noout -text
Are good checks for the validity of the files
Since my source was base64 encoded strings, I ended up using the certutil command on Windows(i.e.)
certutil -f -decode cert.enc cert.pem
certutil -f -decode key.enc cert.key
on windows to generate the files. Once the files were correct, the OpenSSL command above worked as expected.