Login/Register
Can't get private key with openssl (no start line:pem_lib.c:703:Expecting: ANY PRIVATE KEY)
Asked Answered
Solved linuxopensslssl-certificateprivate-key
B

6

43

I have a .key file, when I do

openssl rsa -text -in file.key

I get

unable to load Private Key
140000419358368:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:703:Expecting: ANY PRIVATE KEY

Also I have a .cer file and when I do

openssl x509 -text -in file.cer

I get 

unable to load certificate
140387178489504:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:703:Expecting: TRUSTED CERTIFICATE

But if as pointed here I run the command like:

openssl x509 -text -inform DER -in file.cer

I get

Certificate:
    Data:
        Version: 3 (0x2)
        Some more information
        ...
-----BEGIN CERTIFICATE-----
MIIEdDCCA1ygAwIBAgIUMjAwMDEwMDAwMDAxMDAwMDU4NjcwDQYJKoZIhvcNAQEF
...
-----END CERTIFICATE-----

But that doesn't seem to work with the key, because when I run

openssl rsa -text -inform DER -in aaa010101aaa__csd_10.key

I get 

unable to load Private Key
140004844304032:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1337:
140004844304032:error:0D06C03A:asn1 encoding routines:ASN1_D2I_EX_PRIMITIVE:nested asn1 error:tasn_dec.c:849:
140004844304032:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:769:Field=version, Type=RSA
140004844304032:error:04093004:rsa routines:OLD_RSA_PRIV_DECODE:RSA lib:rsa_ameth.c:115:
140004844304032:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1337:
140004844304032:error:0D06C03A:asn1 encoding routines:ASN1_D2I_EX_PRIMITIVE:nested asn1 error:tasn_dec.c:849:
140004844304032:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:769:Field=version, Type=PKCS8_PRIV_KEY_INFO

How can I get the private key and its certificate?

Bunsen answered 25/7, 2015 at 19:56 Comment(0)
P
25

It looks like you have a certificate in DER format instead of PEM. This is why it works correctly when you provide the -inform PEM command line argument (which tells openssl what input format to expect).

It's likely that your private key is using the same encoding. It looks as if the openssl rsa command also accepts a -inform argument, so try:

openssl rsa -text -in file.key -inform DER

A PEM encoded file is a plain-text encoding that looks something like:

-----BEGIN RSA PRIVATE KEY-----
MIGrAgEAAiEA0tlSKz5Iauj6ud3helAf5GguXeLUeFFTgHrpC3b2O20CAwEAAQIh
ALeEtAIzebCkC+bO+rwNFVORb0bA9xN2n5dyTw/Ba285AhEA9FFDtx4VAxMVB2GU
QfJ/2wIRANzuXKda/nRXIyRw1ArE2FcCECYhGKRXeYgFTl7ch7rTEckCEQDTMShw
8pL7M7DsTM7l3HXRAhAhIMYKQawc+Y7MNE4kQWYe
-----END RSA PRIVATE KEY-----

While DER is a binary encoding format.

Update

Sometimes keys are distributed in PKCS#8 format (which can be either PEM or DER encoded). Try this and see what you get:

openssl pkcs8 -in file.key -inform der
Planer answered 25/7, 2015 at 22:26 Comment(3)
You're going to have to show us what the private key file looks like, otherwise we're just guessing.Planer
Ok, but its in binary, how can I show you the contents of the key? I tried with vi in binary mode (vi -b) but shows an almost unreadable outputBunsen
See my update first. If your private key really is something you can share with us (in which case it's not really "private" anymore), you could generate a hex dump using od -x. If you want to keep it private, you're probably going to need to contact the source of the key for more information.Planer
H
31

I ran into the 'Expecting: ANY PRIVATE KEY' error when using openssl on Windows (Ubuntu Bash and Git Bash had the same issue).

The cause of the problem was that I'd saved the key and certificate files in Notepad using UTF8. Resaving both files in ANSI format solved the problem.

Heliozoan answered 12/6, 2018 at 0:37 Comment(8)
Same here. I tried so much things like changing permissins, paths and headline - but didn't think about encoding ...Trenton
Thanks, this helped! For conversion I used this command: iconv -f utf-8 -t ascii -c server.key > server.key2Cutout
F*&&% &*^%. That ate through a few precious hours. No discussion of this anywhere. Indeed, the private key file I downloaded from GoDaddy included the byte-order mark (BOM), causing expressjs.https to fail to load the private key.Insusceptible
iconv -c -f UTF8 -t ASCII cert.key > cert2.key to convertZabrine
Small correction to @dps - the input format should be -f UTF-8 instead of -f UTF8.Spiritoso
@Spiritoso it looks to me like UTF8 and UTF-8 are interchangeable, try iconv --list | grep UTFZabrine
@dps I probably just have an old version. iconv --version shows iconv (GNU libiconv 1.14). iconv --list | grep UTF only shows names with -s in them. This command: echo "hello" | iconv -f UTF8 fails with error: iconv: conversion from UTF8 unsupported, but this works: echo "hello" | iconv -f UTF-8Spiritoso
DING DING - this was the solution for me -Sanatorium
P
25

It looks like you have a certificate in DER format instead of PEM. This is why it works correctly when you provide the -inform PEM command line argument (which tells openssl what input format to expect).

It's likely that your private key is using the same encoding. It looks as if the openssl rsa command also accepts a -inform argument, so try:

openssl rsa -text -in file.key -inform DER

A PEM encoded file is a plain-text encoding that looks something like:

-----BEGIN RSA PRIVATE KEY-----
MIGrAgEAAiEA0tlSKz5Iauj6ud3helAf5GguXeLUeFFTgHrpC3b2O20CAwEAAQIh
ALeEtAIzebCkC+bO+rwNFVORb0bA9xN2n5dyTw/Ba285AhEA9FFDtx4VAxMVB2GU
QfJ/2wIRANzuXKda/nRXIyRw1ArE2FcCECYhGKRXeYgFTl7ch7rTEckCEQDTMShw
8pL7M7DsTM7l3HXRAhAhIMYKQawc+Y7MNE4kQWYe
-----END RSA PRIVATE KEY-----

While DER is a binary encoding format.

Update

Sometimes keys are distributed in PKCS#8 format (which can be either PEM or DER encoded). Try this and see what you get:

openssl pkcs8 -in file.key -inform der
Planer answered 25/7, 2015 at 22:26 Comment(3)
You're going to have to show us what the private key file looks like, otherwise we're just guessing.Planer
Ok, but its in binary, how can I show you the contents of the key? I tried with vi in binary mode (vi -b) but shows an almost unreadable outputBunsen
See my update first. If your private key really is something you can share with us (in which case it's not really "private" anymore), you could generate a hex dump using od -x. If you want to keep it private, you're probably going to need to contact the source of the key for more information.Planer
E
12

You need re-encrypt the ssh key file with the -m PEM option.

ssh-keygen -p -f keyfile -m PEM

.

Detail:

This issue is caused by the some version of ssh-keygen generated encrypted file format which is not openssl wanted.

I had same issue when I used ssh-keygen -p -f keyfile to encrypt the key file, the result will be like

-----BEGIN OPENSSH PRIVATE KEY-----

then I encountered this issue: openssl rsa < keyfile does not work with same error as the questioner.

The other day I happened find that another encrypted key file was like

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,xxxxxxxxx..

and this file could be decrypted by openssl rsa < keyfile.

It turns out that different ssh-keygen generates different encrypted format, and need respective openssl version to decrypt.

It seems for modern openssl (mine is 1+), it need the latter format.

So I ended up with following solution: re-encrypt the ssh key file with the -m PEM option.

ssh-keygen -p -f keyfile -m PEM

then enter for old password and new password.

The -m PEM option will generate

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,xxxxxxxxx..

Then I can use the openssl rsa < keyfile to decrypt the file later. (Of course if you enter empty password in the above ssh-keygen command, you will also get decrypted result, but that is probably not what you want because you don't want save a decrypted key file on disk).

Education answered 12/11, 2021 at 16:2 Comment(0)
P
4

On my execution of openssl pkcs12 -export -out cacert.pkcs12 -in testca/cacert.pem, I received the following message:

unable to load private key 140707250050712:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:701:Expecting: ANY PRIVATE KEY`

Got this solved by providing the key file along with the command. The switch is -inkey inkeyfile.pem

Paphlagonia answered 24/5, 2018 at 12:51 Comment(0)
K
3

My two cents: came across the same error message in RHEL7.3 while running the openssl command with root CA certificate. The reason being, while downloading the certificate from AD server, Encoding was selected as DER instead of Base64. Once the proper version of encoding was selected for the new certificate download, error was resolved

Hope this helps for new users :-)

Krilov answered 28/3, 2017 at 11:51 Comment(0)
A
1

Try specifying the -pubin flag to whatever command you're trying to run, you usually get the unable to load Private Key nonzero error message when you're passing arguments to a command that assumes (by default) that you're feeding it a private key, when in fact you're feeding it a public key.

For example:

openssl rsautl -encrypt -pubin -inkey public.pem -in data.txt > encrypted_data.enc

Ananna answered 16/5, 2023 at 13:16 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.