I got this error trying to generate a .pfx file from a newly received certificate. The error scared me a little cause I was absolutely sure I tried to match the correct private key with the certificate.
Where it went wrong in this case was the export of the .cer file. I received a .p7b file from Verisign which contains my certificate plus the Verisign Root and Sub certs. From the .p7b file I chose to export my certificate
Now when you chose to export to DER format you will get your No Certificate Matches Private Key error. You need to chose to export to BASE64 to get it to work.
Chosing the right format will solve this problem and you can bundle your private key and public key in a .pfx file. Alternatively you can use OpenSSL to convert your DER certificate to an x509 certificate with the following command
openssl x509 -inform der -in MYCERT.cer -out MYCERT.pem
Then you can use the .pem file to create the .pfx
openssl pkcs12 -export -in cert.cer -inkey privkey.pem -out mycert.pfx
Good luck!
My os is ubuntu 20.04.1,when generate private key:
1、ssh-keygen -t rsa -b 4096 -f /home/apps/AIspace/bin/certs/amber-api.key
2、openssl rsa -in /home/apps/AIspace/bin/certs/amber-api.key -pubout -outform PEM -out amber-api.key.pub
There is an error message:
140551763596608:error:0909006C:PEM routines:get_name:no start line:crypto/pem/pem_lib.c:745:Expecting: ANY PRIVATE KEY
Checked the relevant environment:
openssl version: OpenSSL 1.1.1f 31 Mar 2020
But in my previous environment, everything worked fine:
ubuntu 18.04.5
OpenSSL 1.1.1 11 Sep 2018
So, I’m not sure if there is a bug in the higher version.
I believe amber-api.key (which you can display as a text file) starts with this:
-----BEGIN OPENSSH PRIVATE KEY-----
OPENSSH isn’t a key type that openssl understands, not in any version to date.
@levitte Yes, you are right. How can i solve this problem?
In the man page ssh-keygen(1), you can read about the export option -e. That should help.
I would recommend the PKCS#8 format.
Richard Levitte wrote:
Still open?
Information provided — reference to manual page. Also manual details how to write in different formats.
Regard,
Roumen Petrov
I had the same issue. The -e export option does not work for me, as this will not convert the private key. Instead I converted my original key to PEM (SSH2) format:
ssh-keygen -p -f ~/.ssh/id_rsa -m pem
I had the same issue. The
-eexport option does not work for me, as this will not convert the private key. Instead I converted my original key to PEM (SSH2) format:ssh-keygen -p -f ~/.ssh/id_rsa -m pem
Thank you so much! After many hours of unsuccessful attempts this worked for me.
OPENSSH isn’t a key type that openssl understands, not in any version to date.
I wish openssl would at least tell me that this is the problem, and even better suggest to convert the openssh to an rsa key. «Expecting: ANY PRIVATE KEY» isn’t a very helpful error message
Similar issuer here.
unable to load private key
139944805250368:error:0909006C:PEM routines:get_name:no start line:../crypto/pem/pem_lib.c:745:Expecting: ANY PRIVATE KEY
For me, the permissions were off on the files so openssl couldn’t read the file, therefore -> ‘no start line’
My solution was:
sudo -s
chown -hR root yourdomain.com/
cd yourdomain.com/
openssl pkcs12 -export -out cert.pfx -inkey privkey.pem -in cert.pem
The conversion worked after taking ownership of the directory. After this I copied it to my home folder. Permissions were still funny getting it copied to windows, but after zipping the file up, I could copy it over.
This is a LINUX to WINDOWS file formatting problem:
Godaddy Generated Private.KEY file:
When running this command (using the above KEY file), we get an error:
openssl pkcs12 -export -inkey private.key -in downloadedCert.crt -out websitefqdn.pfx
unable to load private key
11892:error:0909006C:PEM routines:get_name:no start line:cryptopempem_lib.c:745:Expecting: ANY PRIVATE KEY
After Converting it (create a new txt file and edit old and new files with notepad.exe, copy > paste into the new file > save)..
We now have new a compatible file-format…
and the repeated command:
openssl pkcs12 -export -inkey converted-private.key -in downloadedCert.crt -out websitefqdn.pfx
Enter Export Password:
Verifying - Enter Export Password:
You’re welcome 
@sjackson0109 wowww!! It worked. Thanks. I was executing the commands from git bash. I didnt think notepad would be so useful. Btw, even if you just copy and paste to a new file using visual studio code it works. But using the cp command wont work.
This is a LINUX to WINDOWS file formatting problem:
Godaddy Generated Private.KEY file:
When running this command (using the above KEY file), we get an error:
openssl pkcs12 -export -inkey private.key -in downloadedCert.crt -out websitefqdn.pfx unable to load private key 11892:error:0909006C:PEM routines:get_name:no start line:cryptopempem_lib.c:745:Expecting: ANY PRIVATE KEYAfter Converting it (create a new txt file and edit old and new files with notepad.exe, copy > paste into the new file > save).. We now have new a compatible file-format…
and the repeated command:
openssl pkcs12 -export -inkey converted-private.key -in downloadedCert.crt -out websitefqdn.pfx Enter Export Password: Verifying - Enter Export Password:You’re welcome
Are you trying to convert the key file into the DOS mode ? And the follow-up command would start working ?
On my UBUNTU 20.0.4, I have tried the freshly created key file and the converted copy, and it fails in either way.
Comments ?
Jack
- Once a CSR is created, the Mobile Access gateway generates a key pair: a Private and a Public key.
- The public key is combined with the CSR into a single file (*.csr), while the private key is kept secured in the Mobile Access gateway.
- The CA receives the CSR (combined with the public key) and creates the certificate according the CSR content.
- At this stage, the new certificate contains the public key generated by the Mobile Access gateway.
- After the certificate creation, the CA signs the certificate with its own private key.
- The signed certificate (containing the gateway public key) is fused with the Mobile Access gateway’s private key into an encrypted P12 certificate.
In our scenario, the user failed to fuse the private key and the signed certificate.
The certificate signed by the CA contains invalid syntax, where prohibited spaces were included in the base64 code content.
When you edit the certificate file with Notepad++ or any other text editor, the spaces can be revealed.
I have exported an existing certificate+key from an ASA 5510:
asa5510(config)# crypto ca export MYTRUSTSTORE pkcs12 MYPASSWORD
Saved the output in a file (vpn-cisco.pkcs12), and now I am trying to pull the cert and the key into separate files like so:
openssl pkcs12 -in cisco-vpn.pkcs12 -nocerts -out privateKey.pem
The error I receive:
139708630054816:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1319:
139708630054816:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:381:Type=PKCS12
Same error if I run openssl pkcs12 -info ... or any other command.
I have tried to export the file again and compare using ASDM instead of the CLI, but the file is exactly the same.
Googling for the error only says the encoding of the file might be somehow off, but no specific details.
EDIT (7 years later): I came across the same issue again, having to maintain an ASA and a Zimbra setup using the same certs, and came across my own question as the working answer.
Extra thanks for all the additional input like needing to sanitize the p12 file for empty lines etc.
EDIT 2: PKCS12 export from the ASA encrypts the private key, ZCS isn’t happy with that, so the password needs to be dropped, so first extract the key:
openssl pkcs12 -in cisco-vpn.pkcs12.bin -nocerts -out privateKey.pem
And then drop the password:
openssl rsa -in privateKey.pem -out key_no_pass.txt
Contents
- 1 SSL Certificate Errors
- 1.1 Keystore tampered or unreadable
- 1.2 Saving keys failed
- 1.3 Verifying comm certs works, deploying doesn’t
- 1.4 Keystore not found
- 1.5 Extra files in ca dir causing errors
- 1.6 Unable to get issuer certificate
- 1.7 Certificate is not yet valid
- 1.8 Unable to load certificate
- 1.9 Can’t find private key
- 1.10 Proxy displays old cert
- 1.11 Ldap replica sync errors
SSL Certificate Errors
| KB 21191 | Last updated on 2018-05-22 | |
|---|---|---|
|
0.00
|
||
Keystore tampered or unreadable
When starting mailbox, you see the following:
java.io.IOException: Keystore was tampered with, or password was incorrect
at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:772)
Starting mailboxd...[] WARN: failed to read keystore file
java.io.IOException: Invalid keystore format
at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:650)
The error says that the keystore is corrupted. Remove /opt/zimbra/ssl/zimbra/jetty.pkcs12 and /opt/zimbra/mailboxd/etc/keystore, and redeploy the cert (There’s usually no need to recreate it, just redeploy it).
mv /opt/zimbra/ssl/zimbra/jetty.pkcs12 /tmp/jetty.pkcs12 mv /opt/zimbra/mailboxd/etc/keystore /tmp/keystore /opt/zimbra/bin/zmcertmgr deploycrt self
If simply redeploying doesn’t work, recreate it as per the instructions Administration Console and CLI Certificate Tools
Saving keys failed
On deploying certs:
# /opt/zimbra/bin/zmcertmgr deploycrt self ** Saving server config key zimbraSSLCertificate...failed. ** Saving server config key zimbraSSLPrivateKey...failed.
Mostly because the ldap is not accessible (is it running?) or if /opt/zimbra/conf/localconfig.xml isn’t readable. Check permissions, connectivity with ldap, etc.
Verifying comm certs works, deploying doesn’t
On deploying commercial certs, ‘verify cert’ works, but deploying doesn’t.
XXXXX ERROR: failed to create jetty.pkcs12 No certificate matches private key
Ensure there’s a newline at the end of each cert. If there isn’t, the end of one cert and the beginning of the next cert cat on the same line, causing this error. If it isn’t this, check for other similar formatting errors in the certs, like an extra space at the end of each line, etc.
Keystore not found
java.io.FileNotFoundException: /opt/zimbra/jetty-distribution-9.1.5.v20140505/etc/keystore (No such file or directory)
There’s no keystore present. Redeploy certs, and all should be good. Only if redeploying doesn’t work, recreate certs.
Server has ‘ca.key ca.pem commercial_ca_1.pem commercial_ca_2.pem commercial_ca.pem’ in it.
The shouldn’t be any other file in /opt/zimbra/conf/ca. Only store the commercial CA and key here. If you need to backup, store it in another directory. We’ve seen issues where multiple seemingly harmless files in this directory have caused problems, particularly with postfix. See also — http://wiki.zimbra.com/wiki/Error_%28MTA%29:_Unable_to_set_STARTTLS
Unable to get issuer certificate
[root@shanx certbundle]# /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key commercial.crt /tmp/ca_chain.crt Verifying commercial.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key Certificate (commercial.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match. XXXXX ERROR: Invalid Certificate: commercial.crt: C = IN, ST = Delhi, L = New Delhi, O = Shashank Intermediate CA One, OU = Intermediate CAs, CN = Shashank Intermediate CA One, emailAddress = shanx@example.com error 2 at 2 depth lookup:unable to get issuer certificate
Intermediate certificate is missing. Check the chain, and ensure it’s all present, one after the other, when you’re doing this step:
cat /tmp/ca.crt /tmp/ca_intermediary.crt > /tmp/ca_chain.crt
‘ca_intermediary’ should have ALL the intermediate certs in the correct order. The issuer of one should be the subject of the next one.
Digicert has explained this quite well: https://www.digicert.com/ssl.htm
Certificate is not yet valid
error 9 at 0 depth lookup:certificate is not yet valid
Probably a timing issue. The certificate is not yet valid means that it is probably valid for a future date, but not now. Check start date and time of the validity, and then the time on the server, time the certificate was issued, ntp, etc.
Unable to load certificate
Verifying /tmp/commercial.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key unable to load certificate 140362235303592:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:703:Expecting: TRUSTED CERTIFICATE XXXXX ERROR: Unmatching certificate (/tmp/commercial.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) pair. XXXXX ERROR: provided cert isn't valid.
It was supposed to get a certificate, but it got something else. Check if the file is indeed a certificate, permissions, etc. Also if it is a certificate in the PEM format. Some CAs give the cert as a .der, some give it in a funny format, etc. You’ll have to check what it is, and convert it to a properly readable .pem cert.
Good explanation of the different formats here: http://serverfault.com/questions/9708/what-is-a-pem-file-and-how-does-it-differ-from-other-openssl-generated-key-file
Can’t find private key
** Verifying /tmp/wts.cer against /opt/zimbra/ssl/zimbra/commercial/commercial.key XXXXX ERROR: Can't find private key /opt/zimbra/ssl/zimbra/commercial/commercial.key XXXXX ERROR: provided cert isn't valid.
- Check if there’s a formatting error in the cert, i.e.,new lines, extra spaces at the end of each line, etc.
- The key isn’t valid. There are way too many customers who generate a CSR, send it and get a commercial certificate, and for some reason generate a new CSR again and again. This causes the old key to be backed in /opt/zimbra/ssl/zimbra.<date>. Check each /opt/zimbra/ssl/zimbra.<date> folder, and verify against each key. One of them should work.
Proxy displays old cert
A new certificate has been installed on a proxy server, but logging into the webpage still shows the old one.
- First do the obvious ‘clearing-cache-of-browser’ steps
- Check ‘nginx.crt’. Sometimes, even after deploying the new cert, it doesn’t get copied here. Manually copying it should fix it.
Ldap replica sync errors
This happens nearly all the time because the CA of the replica ldap isn’t the same as the CA of the master. To fix this:
- Run the following on the master ldap:
/opt/zimbra/bin/zmcertmgr deploycrt self -allserver
- If it doesn’t work:
1. Copy the CA from the master to the replica
rsync -Pa /opt/zimbra/ssl/zimbra/ca/ root@replica.example.com:/opt/zimbra/ssl/zimbra/ca/
2. Deploy this CA on the replica
/opt/zimbra/bin/zmcertmgr deployca
3. Recreate and redeploy the self-signed cert on replica
/opt/zimbra/bin/zmcertmgr createcrt -new -days 3650 /opt/zimbra/bin/zmcertmgr deploycrt self
Try Zimbra
Try Zimbra Collaboration with a 60-day free trial.
Get it now »
Want to get involved?
You can contribute in the Community, Wiki, Code, or development of Zimlets.
Find out more. »
Looking for a Video?
Visit our YouTube channel to get the latest webinars, technology news, product overviews, and so much more.
Go to the YouTube channel »
-
Форум
-
Технические форумы
-
Компьютерная безопасность
-
Криптография
-
Автор темы
Diversant
-
Дата начала
14.05.2018
-
-
Теги
-
openssl
-
-
#1
Здравствуйте коллеги! Нужно объединить закрытый ключ с сертификатом, ввожу команду
Код:
openssl pkcs12 -export -out certificate2018.pfx -inkey private.key -in cert2018.crtи получаю ошибки
Код:
Enter pass phrase for private2018.key:
unable to load private key
6044:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:cryptoevpevp_enc.c:535:
6044:error:0906A065:PEM routines:PEM_do_header:bad decrypt:cryptopempem_lib.c:445:
c:OpenSSL-Win32bin>Подскажите в чем проблема
-
#2
Вводите не верный пароль. Вспоминайте что указывали при генерации запроса на сертификат
-
#3
да. не тот пароль вводил. Благодарю!
-
Форум
-
Технические форумы
-
Компьютерная безопасность
-
Криптография
-
На данном сайте используются cookie-файлы, чтобы персонализировать контент и сохранить Ваш вход в систему, если Вы зарегистрируетесь.
Продолжая использовать этот сайт, Вы соглашаетесь на использование наших cookie-файлов.