> From: [email protected] On Behalf Of Henrik Bach > Sent: Thursday, 19 August, 2010 23:48
> I have got a valid certificate that contains a private key > from a trusted web site. > You'd better not. A certificate contains only a public key. Certificates are (almost always) made public and if a certificate contained a private key it wouldn't be private any more, and as a result security would be lost. > However, I have problems using it by the web site tools and > in that process trying to figure out why. > 'web site tools' is rather vague. Do you mean you have a server, and a private key *and* certificate for that server? You need both, and they are different, in spite of lots of people who sloppily use 'certificate' to mean 'certificated identity'. If so, what you want is probably not 'verify' at all. > When I run the command: > > $ openssl verify pk-XXXX.pem > unable to load certificate > 5564:error:0906D06C:PEM routines:PEM_read_bio:no start > line:pem_lib.c:650:Expecting: TRUSTED CERTIFICATE > > Can some one tell me what I'm doing wrong. Your file is apparently not a PEM format certificate. Either it's not PEM format at all (although the filename claims it is) or it's PEM but not a certificate. (The error message is slightly misleading; openssl actually reads either CERTIFICATE which is (much) more common *or* TRUSTED CERTIFICATE, but the message only says the latter.) Look at the file with any convenient editor, or since you appear to be on Unixoid, cat -v or od -c . Does it consist of ASCII characters in lines? Is there one line of some hyphens BEGIN something more hyphens followed by lines consisting only of alphanumeric and + / = followed by a line of hyphens END samething more hyphens? If so it's PEM; tell us what 'something' is. If it's actually a PEM private key, and either you know the passphrase or it's not encrypted (which is bad practice), if it's RSA 'openssl rsa -in keyfile -check' will check that it's mathematically valid, although that doesn't say much because any key generation software (or hardware) that isn't grossly defective will satisfy that. If a privatekey is DSA or EC(DSA) I don't see any applicable checks. If it looks like mostly random binary, maybe it's actually DER not PEM, in spite of the file name; maybe somebody (at some point) set a wrong option or copied the wrong file. Try 'openssl verify file -inform DER'. Alternatively maybe it's something else. Post a dump (if it's big the first 256 bytes or so is plenty). ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [email protected] Automated List Manager [email protected]
