Expecting: TRUSTED CERTIFICATE while converting pem to crt

Question

I am trying to generate a private-public key pair and convert the public key into a certificate which can be added into my truststore.

To generate private & public key: openssl rsa -in private.pem -outform PEM -pubout -out public_key.pem

Now I am trying to convert this to a certificate:

openssl x509 -outform der -in  public_key.pem -out  public.cer

But I get an error:

7962:error:0906D06C:PEM routines:PEM_read_bio:no start line:/BuildRoot/Library/Caches/com.apple.xbs/Sources/OpenSSL098/OpenSSL098-64.30.2/src/crypto/pem/pem_lib.c:648:Expecting: TRUSTED CERTIFICATE

All tutorials show that I have to convert pem to crt before adding to a truststore.

score 11 · Accepted Answer · edited May 23 '17 at 12:40

11

You cannot "convert" a public key to a certificate. A certificate includes the public key but it includes also more information like the subject, the issuer, when the certificate is valid etc. And a certificate is signed by the issuer. Thus what you would need instead is to create a certificate signing request (CSR) which includes the public key but also includes all the additional information. This CSR then needs to be signed by a certificate authority (CA) which then results in the certificate.

For creating a simple self-signed certificate which is not trusted by any browser see How to create a self-signed certificate with openssl?.

edited May 23 '17 at 12:40

Community

1

answered Feb 08 '17 at 17:38

Steffen Ullrich

201,479
30
402
465

So in this example: openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365
key.pem will contain both private and public key?
– user1692342 Feb 08 '17 at 17:41
@user1692342: I'm not sure how the question in the comment relates to the original question. But: key.pem is the private key which includes the public key and the public key is also included in cert.pem. – Steffen Ullrich Feb 08 '17 at 17:47

score 2 · Answer 2 · answered Feb 08 '17 at 22:47

You cannot convert a public key into a certificate.

The original commands will not work since the PEM encoding / file format is expecting to contain the encrypted certificate text like below:

-----BEGIN CERTIFICATE-----

Certificate data here

-----END CERTIFICATE-----

Therefore if you view the original .PEM file and see something else (like BEGIN RSA ... ) then that is incorrect.

Now according to the thread title you are seeking to convert a PEM into a CRT file format. Note that x509 certificates can be in two encodings - DER and PEM. Also, PEM can be within a .CRT, .CER and also .PEM format.

Therefore if you see that error there is also a chance that you are treating a DER encoded certificate as a PEM encoded certificate. You can try to see if it's actually DER encoded by following the instructions in this page.

Expecting: TRUSTED CERTIFICATE while converting pem to crt

2 Answers2