openssl unable to read/load/import SSL private key from GoDaddy

openssl is the standard open-source, command-line tool for manipulating SSL/TLS certificates on Linux, MacOS, and other UNIX-like systems. I recently ran into an interesting problem using openssl to convert a private key obtained from GoDaddy. Someone else used GoDaddy’s “wizard” interface to generate a certificate signing request (CSR) and private key, and saved the files on their Windows workstation. They purchased an SSL cert from GoDaddy, and shared all the files with me for installation on servers. GoDaddy saved the private key in the newer PKCS #8 format (pkcs8), and one system required the key in the older PKCS #1 (pkcs1) format. It’s easy to tell the difference.

PKCS #1 files start with:

-----BEGIN RSA PRIVATE KEY-----

PKCS #8 files start and end with ONE OF these lines:

-----BEGIN PRIVATE KEY-----
-----BEGIN ENCRYPTED PRIVATE KEY----- 

I found that openssl couldn’t even read the private key:

$ openssl rsa -in generated-private-key.txt
unable to load Private Key
4605261420:error:09FFF06C:PEM routines:CRYPTO_internal:no start line:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-22.260.1/libressl-2.6/crypto/pem/pem_lib.c:683:Expecting: ANY PRIVATE KEY

The error was surprising, because the key file looked perfect. I wasted quite a bit of time trying to find a mistake in my openssl command. Fortunately, I found the solution in a comment on a StackOverflow article. I don’t know if the culprit is GoDaddy’s key generation, or the way that the key was saved on a Windows system (perhaps with Notepad), but the key ended up being encoded in UTF-8, with a Byte Order Mark (BOM) included. openssl couldn’t read the key because it was unable to parse the BOM. The solution was to use iconv to convert the key file from UTF-8 to ASCII, and then covert from pkcs8 to pkcs1:

$ iconv -c -f UTF8 -t ASCII generated-private-key.txt > key.pk8
$ openssl rsa -in key.pk8 -out key.pem

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.