openssl unable to read/load/import SSL private key from GoDaddy

openssl is the standard open-source, command-line tool for manipulating SSL/TLS certificates on Linux, MacOS, and other UNIX-like systems. I recently ran into an interesting problem using openssl to convert a private key obtained from GoDaddy. Someone else used GoDaddy’s “wizard” interface to generate a certificate signing request (CSR) and private key, and saved the files on their Windows workstation. They purchased an SSL cert from GoDaddy, and shared all the files with me for installation on servers. GoDaddy saved the private key in the newer PKCS #8 format (pkcs8), and one system required the key in the older PKCS #1 (pkcs1) format. It’s easy to tell the difference.

PKCS #1 files start with:

-----BEGIN RSA PRIVATE KEY-----

PKCS #8 files start and end with ONE OF these lines:

-----BEGIN PRIVATE KEY-----
-----BEGIN ENCRYPTED PRIVATE KEY----- 

I found that openssl couldn’t even read the private key:

$ openssl rsa -in generated-private-key.txt
unable to load Private Key
4605261420:error:09FFF06C:PEM routines:CRYPTO_internal:no start line:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-22.260.1/libressl-2.6/crypto/pem/pem_lib.c:683:Expecting: ANY PRIVATE KEY

The error was surprising, because the key file looked perfect. I wasted quite a bit of time trying to find a mistake in my openssl command. Fortunately, I found the solution in a comment on a StackOverflow article. I don’t know if the culprit is GoDaddy’s key generation, or the way that the key was saved on a Windows system (perhaps with Notepad), but the key ended up being encoded in UTF-8, with a Byte Order Mark (BOM) included. openssl couldn’t read the key because it was unable to parse the BOM. The solution was to use iconv to convert the key file from UTF-8 to ASCII, and then covert from pkcs8 to pkcs1:

$ iconv -c -f UTF8 -t ASCII generated-private-key.txt > key.pk8
$ openssl rsa -in key.pk8 -out key.pem

12 thoughts on “openssl unable to read/load/import SSL private key from GoDaddy”

  1. This saved my bacon after spending half a day swearing at open ssl and apple for the amount of crap i had to install to do it all anyway I was getting nowhere. This is exactly what i needed. I left it at the pk8 stage and that worked fine in creating the pfx file.

    Thanks.

  2. Hello. Do i need to chnage the Format from the Public key also to ASCII??? and if yes is it the Same process as the private key??

    Thanks
    Jan

  3. Thank you Sir! Converted the key file from UTF8 to ASCII encoding in Notepad++, and was able to use the OpenSSL commands. Much appreciated.

  4. Just wanted to add here that I had this problem too. I used a variation of this solution to fix it.

    I have Notepad++ and it has the ability to reparse files and save as UTF-8 without the BOM. It turns out this was all I needed to do to get the GoDaddy key file to work during the conversion from PEM to PFX.

    1. Open file in Notepad++
    2. Change the encoding from UTF-8 BOM to UTF-8
    3. Save the file
    4. Import the file into openssl with options for exporting as PFX file
    5. Import the PFX into windows application (IIS, Exchange, ADFS, etc.)

Leave a Reply to DW Cancel Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.