OpenSSL Convert PEM to PFX using RSA PRIVATE Key

Question

I am attempting to use OpenSSL to Convert a PEM File and RSA Private Key to a PFX file. Here is the example command I attempted to use:

openssl pkcs12 -export -out cert.pfx -inkey key.pem -in cert.pem

In doing so, I receive the following error message:

unable to load private key
9068:error:0906D06C:PEM routines:PEM_read_bio:no start 
line:pem_lib.c:696:Expecting: ANY PRIVATE KEY

The cert file looks like this:

-----BEGIN CERTIFICATE-----
....
-----END CERTIFICATE-----

and the Private Key looks like this:

-----BEGIN RSA PRIVATE KEY-----
....
-----END RSA PRIVATE KEY-----

I did some digging on the error but I have not found a solution yet.

EDIT

After some additional research it appears to be a problem with different openssl versions.

If I run it on my OSX system which is running 0.9.8zh 14 Jan 2016, these statements work fine.

However, if I run it on a Windows Machine with version OpenSSL 1.0.1p 9 Jul 2015 and OpenSSL 1.1.0g 2 Nov 2017, I get the above errors.

Answer 1

I was also stuck on same. And as @thxmike said. My case was also similar.

OpenSSL command did not worked as expected for this.
openssl pkcs12 -export -in c.cer -inkey c.key -out d.pfx

So I ended up using Certutil on Windows. As we wanted to add it to Azure.

Note:-
1. Make sure to change .crt to .cer.
2. Make sure to put the .cer and .key files into the same folder and with same name - (c.cer and c.key)

Then run:
certutil -MergePFX c.cer c.pfx

You should get your combined pfx file.
Cheers!

Answer 2

After some throughout digging, I found that it was the Powershell scripts that generates the key and cert files.

Using Notepad++ on Windows and Tex-Edit Plus on OSX to identify hidden characters, I found that the files had extra [cr] at the end.

Using the command

openssl rsa -in <private key file> -noout -text
openssl x509 -in <cert file> -noout -text

Are good checks for the validity of the files

Since my source was base64 encoded strings, I ended up using the certutil command on Windows(i.e.)

certutil -f -decode cert.enc cert.pem
certutil -f -decode key.enc cert.key

on windows to generate the files. Once the files were correct, the OpenSSL command above worked as expected.

Answer 3

After having a similar issue, looks like different versions of openssl unpack the pfx archive with different syntax for the private key. It can be a traditional format where the private key start and end with

-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----

or PKSC#8 syntax with start and end

-----BEGIN PRIVATE KEY-----
-----END PRIVATE KEY-----

*Note the difference is not just the RSA word.

Therefore you may have to convert the private key from traditional to pksc8 syntax with

openssl pkcs8 -in <private key file> -topk8 -nocrypt -out <new private key file>

https://linux.die.net/man/1/pkcs8

Answer 4

you certificate cert.pem contains the key as well. Make sure you have the certifacte without the key. Use -nokeys while creating the cert.

Answer 5

You might have a password protected key file. I had to remove the passphrase on the key and it worked:

openssl rsa -in encrypted.key -out unencrypted.key

Then use the unencrypted key in your initial command:

openssl pkcs12 -export -out cert.pfx -inkey unencrypted.key -in cert.pem

Answer 6

Had this same issue. Environment is Ubuntu in WSL2/Windows 11

Error:

unable to load private key
139944805250368:error:0909006C:PEM routines:get_name:
no start line:../crypto/pem/pem_lib.c:745:Expecting: ANY PRIVATE KEY

For me, this was a permissions issue. OpenSSL could not access the file, but there is no indication here pointing to that being the issue.

My solution was:

sudo -s
chown -hR root yourdomain.com/
cd yourdomain.com/
openssl pkcs12 -export -out cert.pfx -inkey privkey.pem -in cert.pem

The conversion worked after taking ownership of the directory. After this I copied it to my home folder. Permissions were still funny getting it copied to windows, but after zipping the file up, I could copy it over.

Hope this helps someone!

Answer 7

I think the bug is related to openssl version, not sure... the steps bellow may work

openssl pkcs12 -in xxx.pfx -out xxx.nokey.pem -nokeys
openssl pkcs12 -in xxx.pfx -out xxx.withkey.pem
openssl rsa -in xxx.withkey.pem -out xxx.key
cat xxx.nokey.pem xxx.key > xxx.combo.pem