Hi Viktor, Thanks for the info. I will try what you suggested today. However, I am a bit confused by what you are saying - You may need to separately specify a CAfile, or CApath for validating the server certificate. I have the two pem files below. I thought the DTCD9C3B2F42757.ent.wfb.bank.corp_mongo_server.pem file resided on the MongoDB database server and I was supposed to connect from my C++ app with the DTCD9C3B2F42757.ent.wfb.bank.corp_mongo_wells.pem file. I am new to this, so I am sorry for not understanding completely.
. DTCD9C3B2F42757.ent.wfb.bank.corp_mongo_server.pem . private key of DTCD9C3B2F42757.ent.wfb.bank.corp machine . certificate for DTCD9C3B2F42757.ent.wfb.bank.corp, signed by WF Enterprise CA 02 . DTCD9C3B2F42757.ent.wfb.bank.corp_mongo_wells.pem . WF Enterprise CA 02 certificate, signed by WF Root . WF Root certificate Thanks, Liz -----Original Message----- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Viktor Dukhovni Sent: Monday, September 08, 2014 8:28 PM To: openssl-users@openssl.org Subject: Re: cannot read PEM key file - no start line On Mon, Sep 08, 2014 at 08:14:32PM -0700, Liz Fall wrote: > I am trying to connect to a MongoDB SSL-enable database. This is the API: > // only really need a PEM on the server side > mongo::sslGlobalParams.sslPEMKeyFile = "<path/to/keyfile.pem>"; The comment is highly misleading. PEM is a "meta" format. It encapsulates base64 encoded blobs between BEGIN/END headers/trailers, allowing multiple objects to be concatenated unambiguously and transported undamaged via ASCII email. This this is a client, what goes here is likely a client certificate chain and a client private key, or just NULL, if client certificates are not employed (you're likely authenticating the client with a username and password instead). ------ BEGIN RSA PRIVATE KEY ----- private key for client cert base64 encoded ------ END RSA PRIVATE KEY ----- client cert base64 encoded ------ END CERTIFICATE ----- ------ BEGIN CERTIFICATE ----- intermediate issuer base64 encoded ------ END CERTIFICATE ----- ... ------ BEGIN CERTIFICATE ----- root issuer base64 encoded ------ END CERTIFICATE ----- I would try NULL first. You may need to separately specify a CAfile, or CApath for validating the server certificate. -- Viktor. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org --- This email is free from viruses and malware because avast! Antivirus protection is active. http://www.avast.com ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org