We may come across the OpenSSL “Unable to load certificate” error if we paste the cert from a browser.

It is most likely that we may miss the  CR and LF characters making OpenSSL not read/load the cert file.

As part of our Server Management Services, we assist our customers with several OpenSSL queries.

Today, let us see how our techs fix this error.

OpenSSL “Unable to load certificate” error

In order to begin, our Support Techs recommend having OpenSSL 0.9.7a and RHEL5.

Most often, the error message will look like the following:

Unable to load certificate PEM routines PEM_read_bio:bad base64 decode:pem_libc

In this case, we need to make sure to enclose cert within BEGIN CERTIFICATE and END CERTIFICATE statements.

openssl error:0906D064:PEM routines:PEM_read_bio:bad base64 decode

Another scenario is the above error. Recently for one of our customers, Java keytool could read an X509 certificate file, but OpenSSL could not.

He thought it must be in DER instead of PEM,” but it was in PEM (plain text).

This is because OpenSSL is picky about PEM certificate formatting.

Moving ahead, let us see how our Support Techs fix these issues.

1. First and foremost, the file must contain:

—–BEGIN CERTIFICATE—–

It should be in a separate line.

2. In addition, each line of “gibberish” must be 64 characters wide.

3. And the file must end with:

—–END CERTIFICATE—–

Like the prior, this should also be terminated with a new line.

4. Then we ensure, not to save the cert text with Word. We save it in ASCII.

5. Similarly, we should not mix DOS and UNIX style line terminations.

Here are a few steps our Support Techs employ to normalize the certificate:

1. First, we run it through dos2unix:

dos2unix cert.pem

2. Then we run it through the fold:

fold -w 64 cert.pem

[Couldn’t fix the error? We can help you fix it]

Conclusion

In short, we saw how our Support Techs resolve the OpenSSL queries for our customers.