openssl is the standard open-source, command-line tool for manipulating SSL/TLS certificates on Linux, MacOS, and other UNIX-like systems. I recently ran into an interesting problem using openssl to convert a private key obtained from GoDaddy. Someone else used GoDaddy’s “wizard” interface to generate a certificate signing request (CSR) and private key, and saved the files on their Windows workstation. They purchased an SSL cert from GoDaddy, and shared all the files with me for installation on servers. GoDaddy saved the private key in the newer PKCS #8 format (pkcs8), and one system required the key in the older PKCS #1 (pkcs1) format. It’s easy to tell the difference.
PKCS #1 files start with:
-----BEGIN RSA PRIVATE KEY-----
PKCS #8 files start and end with ONE OF these lines:
-----BEGIN PRIVATE KEY----- -----BEGIN ENCRYPTED PRIVATE KEY-----
I found that openssl couldn’t even read the private key:
$ openssl rsa -in generated-private-key.txt
unable to load Private Key
4605261420:error:09FFF06C:PEM routines:CRYPTO_internal:no start line:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-22.260.1/libressl-2.6/crypto/pem/pem_lib.c:683:Expecting: ANY PRIVATE KEY
The error was surprising, because the key file looked perfect. I wasted quite a bit of time trying to find a mistake in my openssl command. Fortunately, I found the solution in a comment on a StackOverflow article. I don’t know if the culprit is GoDaddy’s key generation, or the way that the key was saved on a Windows system (perhaps with Notepad), but the key ended up being encoded in UTF-8, with a Byte Order Mark (BOM) included. openssl couldn’t read the key because it was unable to parse the BOM. The solution was to use iconv to convert the key file from UTF-8 to ASCII, and then covert from pkcs8 to pkcs1:
$ iconv -c -f UTF8 -t ASCII generated-private-key.txt > key.pk8
$ openssl rsa -in key.pk8 -out key.pem
This worked for me. Thanks a lot!
I solved my problem this guide. Thank you so much.
Massive thank you for sharing this, been bumping my head against this problem all day!
This saved my bacon after spending half a day swearing at open ssl and apple for the amount of crap i had to install to do it all anyway I was getting nowhere. This is exactly what i needed. I left it at the pk8 stage and that worked fine in creating the pfx file.
Thanks.
Stephanie, to help others find this post, can you tell us what application required the PFX file? How was Apple involved?
Hello. Do i need to chnage the Format from the Public key also to ASCII??? and if yes is it the Same process as the private key??
Thanks
Jan
Thanks
Thank you Sir! Converted the key file from UTF8 to ASCII encoding in Notepad++, and was able to use the OpenSSL commands. Much appreciated.
Not sure why the certificate issuer has such a practice but anyway, thank you very much!
Just wanted to add here that I had this problem too. I used a variation of this solution to fix it.
I have Notepad++ and it has the ability to reparse files and save as UTF-8 without the BOM. It turns out this was all I needed to do to get the GoDaddy key file to work during the conversion from PEM to PFX.
1. Open file in Notepad++
2. Change the encoding from UTF-8 BOM to UTF-8
3. Save the file
4. Import the file into openssl with options for exporting as PFX file
5. Import the PFX into windows application (IIS, Exchange, ADFS, etc.)
Alternately, on step 2, you could use ASCII encoding as well.
Thanks a lot, saved my day.