12

The certificate of my website just expired, and I bought a new (free) one from AliCloud, downloaded one server.pem file and one server.key file.

Then, I use openssl x509 -outform der -in server.pem -out server.crt to create the server.crt file. Then openssl x509 -noout -text -in server.crt returned me an error:

unable to load certificate
4562605504:error:0909006C:PEM routines:get_name:no start line:crypto/pem/pem_lib.c:745:Expecting: TRUSTED CERTIFICATE

I also tried server.crt in production, it just did not work.

Does anyone know how to properly generate .crt file?

SoftTimur
  • 357
  • 3
    openssl x509 like most OpenSSL commandline operations defaults to input format PEM, so if you want to read a DER format file use -inform der. However, I don't know of any web server that is configured with a DER format cert (although some use PKCS12 in DER, which is very different from just a cert). BTW the error message is a bit misleading: the default will actually read either type CERTIFICATE or type TRUSTED CERTIFICATE in PEM, and the former is much more common, but the error message states only the latter. – dave_thompson_085 Jun 13 '20 at 00:14

2 Answers2

5

Likely you shouldn't be generating anything with these openssl commands but instead should be using the server.pem file exactly as you received it.

Open the file in a text editor. If the first line of this file is:

-----BEGIN CERTIFICATE-----

Then you use it unchanged. The only thing you might need to do to it is to append any intermediate certificates, depending on your web server.

Michael Hampton
  • 247,473
0

I think you can't read your server.crt file because of the encryption applied (-outform der). You can generate your crt file without this instruction. @see: https://superuser.com/a/1016068/1208395

user2280949
  • 1
  • Your answer could be improved with additional supporting information. Please [edit] to add further details, such as citations or documentation, so that others can confirm that your answer is correct. You can find more information on how to write good answers in the help center. – Community Mar 12 '22 at 16:23