11

The certificate of my website just expired, and I bought a new (free) one from AliCloud, downloaded one server.pem file and one server.key file.

Then, I use openssl x509 -outform der -in server.pem -out server.crt to create the server.crt file. Then openssl x509 -noout -text -in server.crt returned me an error:

unable to load certificate
4562605504:error:0909006C:PEM routines:get_name:no start line:crypto/pem/pem_lib.c:745:Expecting: TRUSTED CERTIFICATE

I also tried server.crt in production, it just did not work.

Does anyone know how to properly generate .crt file?

SoftTimur
  • 337
  • 2
  • 8
  • 16
  • 3
    `openssl x509` like most OpenSSL commandline operations defaults to input format PEM, so if you want to read a DER format file use `-inform der`. However, I don't know of any web server that is configured with a DER format cert (although some use _PKCS12_ in DER, which is very different from just a cert). BTW the error message is a bit misleading: the default will actually read either type `CERTIFICATE` _or_ type `TRUSTED CERTIFICATE` _in PEM_, and the former is _much_ more common, but the error message states only the latter. – dave_thompson_085 Jun 13 '20 at 00:14

2 Answers2

4

Likely you shouldn't be generating anything with these openssl commands but instead should be using the server.pem file exactly as you received it.

Open the file in a text editor. If the first line of this file is:

-----BEGIN CERTIFICATE-----

Then you use it unchanged. The only thing you might need to do to it is to append any intermediate certificates, depending on your web server.

Michael Hampton
  • 244,070
  • 43
  • 506
  • 972
0

I think you can't read your server.crt file because of the encryption applied (-outform der). You can generate your crt file without this instruction. @see: https://superuser.com/a/1016068/1208395

user2280949
  • 1
  • 1
  • Your answer could be improved with additional supporting information. Please [edit] to add further details, such as citations or documentation, so that others can confirm that your answer is correct. You can find more information on how to write good answers [in the help center](/help/how-to-answer). – Community Mar 12 '22 at 16:23