We may encounter the OpenSSL “Unable to load certificate” error if we paste the cert from a browser.

We may most likely miss the  CR and LF characters, preventing OpenSSL from reading/loading the cert file.

As part of our Server Management Services, we assist customers with several OpenSSL queries.

Today, let us see how our techs fix this error.

OpenSSL “Unable to load certificate” error

In order to begin, our Support Techs recommend having OpenSSL 0.9.7a and RHEL5.

Most often, the error message will look like the following:

Unable to load certificate PEM routines PEM_read_bio:bad base64 decode:pem_libc

In this case, we need to enclose cert within BEGIN CERTIFICATE and END CERTIFICATE statements.

openssl error:0906D064:PEM routines:PEM_read_bio:bad base64 decode

Another scenario is the above error. Recently, for one of our customers, Java keytool could read an X509 certificate file, but OpenSSL could not.

He thought it must be in DER instead of PEM,” but it was in PEM (plain text).

This is because OpenSSL is picky about PEM certificate formatting.

Common Causes of “Unable to Load Certificate” Error

• OpenSSL expects a certificate file in a specific format, commonly PEM (Privacy-Enhanced Mail). OpenSSL cannot load if the certificate is in a different format, such as DER (binary format), PFX, or PKCS#7.
• PEM files require specific headers and footers to identify the certificate content.
• If the certificate file has restricted permissions, OpenSSL may be unable to access it. Ensure the file has read permissions for the user executing the command.
• A certificate file may become corrupted during transfer or if it is not properly generated. Corrupted files can prevent OpenSSL from loading the certificate.
• Certain OpenSSL commands require different input or expect files in specific formats. For example, attempting to read a private key file as a certificate will trigger an error.

How to Fix OpenSSL “Unable to load certificate” error

Moving ahead, let us see how our Support Techs fix these issues.

1. First and foremost, the file must contain:

—–BEGIN CERTIFICATE—–

It should be in a separate line.

2. In addition, each line of “gibberish” must be 64 characters wide.

3. And the file must end with:

—–END CERTIFICATE—–

Like the prior, this should also be terminated with a new line.

4. Then we ensure that the cert text is not saved with Word. We save it in ASCII.

5. Also, we should not mix DOS and UNIX style line terminations.

Verify File Permissions

Check if the file has sufficient read permissions for the OpenSSL command user.

ls -l certificate.pem

If the permissions are too restrictive, change them to allow read access:

chmod 644 certificate.pem

This command makes the file readable by the owner and other users, allowing OpenSSL to access it.

Check for File Corruption

If the certificate file is corrupt, we may see unusual characters or binary content when we open it in a text editor. We can try re-downloading or regenerating the certificate from the certificate authority (CA).

Convert Between Certificate Formats if Necessary

If the certificate is in PKCS#7 format, OpenSSL cannot directly read it as a standard PEM certificate. We can convert it with the following command:

openssl pkcs7 -print_certs -in certificate.p7b -out certificate.pem

This converts a PKCS#7 certificate (.p7b) to PEM format, making it compatible with OpenSSL’s x509 commands.

How to normalize the Certificate

Here are a few steps our Support Techs employ to normalize the certificate:

1. First, we run it through dos2unix:

dos2unix cert.pem

2. Then we run it through the fold:

fold -w 64 cert.pem

[Couldn’t fix the error? We can help you fix it]

Conclusion

In short, we saw how our Support Techs resolve the OpenSSL queries for our customers.