On 28/07/14 18:59, Paul Goyette wrote: >>> openssl verify command says that my .pem files are good, so I don't >>> know where to look next. >> >> Key and certificate files can be in either a text format (PEM) or >> binary (DER)--perhaps your /etc/openssl/certs/imapd.pem is actually in >> DER format? It should contain a "-----BEGIN RSA PRIVATE KEY-----" line. >> >> If it's the wrong format, openssl can convert it... I think something >> like: >> >> openssl rsa -inform der -outform pem -in imapd.pem -out imapd2.pem >> >> or something to that effect. > > My imapd.pem appears to be a plain text file, starting with > > Certificate: > Data: > Version: 3 (0x2) > Serial Number: 3735943887 (0xdeadfacf) > Signature Algorithm: sha1WithRSAEncryption > ...
That data is ignored by the PEM reader routines; it scans for the "--..BEGIN BLAH..--" section(s) and parses the base64 data inside the section. Does the file contain any "BEGIN PRIVATE KEY" or similar section? If it doesn't, it looks like you're missing the private key. > There is an associated imapd.crt which appears to be binary: > > # hexdump -C imapd.crt > 00000000 30 82 04 6a 30 82 03 52 a0 03 02 01 02 02 05 00 > |0..j0..R........| > 00000010 de ad fa cf 30 0d 06 09 2a 86 48 86 f7 0d 01 01 > |....0...*.H.....| > 00000020 05 05 00 30 81 9f 31 0b 30 09 06 03 55 04 06 13 > |...0..1.0...U...| > ... The would presumably be the exact same thing as the imapd.pem above, but in BER/DER format. NotAlwaysTrueButTrueEnoughThatItsGoodToMemorize: PEM=Unix, DER=Windows. openssl defaults to PEM. If you want to inspect the contents of a DER file you add the option "-inform der", as Dave Huang suggested. The equivalent of: $ openssl x509 -noout -text -in /etc/openssl/certs/imapd.pem ...for DER is: $ openssl x509 -inform der -noout -text -in /etc/openssl/certs/imapd.crt ... but this has nothing to do with the error you posted. Just trying to demystify openssl and x509 a little. > > > > ------------------------------------------------------------------------- > | Paul Goyette | PGP Key fingerprint: | E-mail addresses: | > | Customer Service | FA29 0E3B 35AF E8AE 6651 | paul at whooppee.com | > | Network Engineer | 0786 F758 55DE 53BA 7731 | pgoyette at juniper.net | > | Kernel Developer | | pgoyette at netbsd.org | > ------------------------------------------------------------------------- -- Kind Regards, Jan
