I was half wrong before.
The base64 read in EVP_Decode* allows 76. But the PEM parser in PEM_read_bio enforces exactly 64 >>only for input files that have PEM-encrypt headers<< which in practice is only encrypted legacy-format privatekey files. (Nonprivate things like cert, CSR, publickey, params, etc. aren’t encrypted at all. PKCS8 privatekey or PKCS12 key-plus-cert is encrypted within the ASN1, not as PEM.) I have and know of no software to create encrypted legacy-format privatekeys other than OpenSSL itself which always writes 64, so I never encountered this before. (Other sw does do PKCS8-e or PKCS12 but see above.) (As seen elsethread, OP apparently had PEM certs where PEM key was expected.) From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Jeffrey Walton Sent: Tuesday, September 09, 2014 08:09 To: OpenSSL Users List Subject: Re: cannot read PEM key file - no start line On Sun, Sep 7, 2014 at 10:26 PM, Liz Fall <f...@sbcglobal.net> wrote: All, I am getting the following with my client cert when trying to connect to an SSL-enabled MongoDB: 2014-09-03T13:37:56.881-0500 ERROR: cannot read PEM key file: /users/apps/tstlrn/u019807/DTCD9C3B2F42757.ent.wfb.bank.corp_mongo_wells.pem error:0906D06C:PEM routines:PEM_read_bio:no start line I just tried to duplicate with a key (not a certificate) that uses line breaks at 76 characters. I don't have a certificate because my routines don't support certificates. But it should reveal a little about the OpenSSL parser. Reading the public and private keys were OK when the line size was 76 (see below). So the OpenSSL parser is lenient during a read. This seems very reasonable to me. Reading an encrypted private key resulted in an error "PEM_read_bio:bad end line:pem_lib.c:802" when the line size was 76 (see below). This kind of surprised me. Since you are receiving the "no start line" error (and not another error), I would suspect you are reading an ASN.1/DER encoded certificate; and not a PEM encoded certificate. The error occured before anything related to line lengths. <snip rest>
