Can't get private key with openssl (no start line:pem_lib.c:703:Expecting: ANY PRIVATE KEY)
Solution 1
It looks like you have a certificate in DER
format instead of PEM
. This is why it works correctly when you provide the -inform PEM
command line argument (which tells openssl what input format to expect).
It's likely that your private key is using the same encoding. It looks as if the openssl rsa
command also accepts a -inform
argument, so try:
openssl rsa -text -in file.key -inform DER
A PEM
encoded file is a plain-text encoding that looks something like:
-----BEGIN RSA PRIVATE KEY-----
MIGrAgEAAiEA0tlSKz5Iauj6ud3helAf5GguXeLUeFFTgHrpC3b2O20CAwEAAQIh
ALeEtAIzebCkC+bO+rwNFVORb0bA9xN2n5dyTw/Ba285AhEA9FFDtx4VAxMVB2GU
QfJ/2wIRANzuXKda/nRXIyRw1ArE2FcCECYhGKRXeYgFTl7ch7rTEckCEQDTMShw
8pL7M7DsTM7l3HXRAhAhIMYKQawc+Y7MNE4kQWYe
-----END RSA PRIVATE KEY-----
While DER
is a binary encoding format.
Update
Sometimes keys are distributed in PKCS#8 format (which can be either PEM or DER encoded). Try this and see what you get:
openssl pkcs8 -in file.key -inform der
Solution 2
I ran into the 'Expecting: ANY PRIVATE KEY' error when using openssl on Windows (Ubuntu Bash and Git Bash had the same issue).
The cause of the problem was that I'd saved the key and certificate files in Notepad using UTF8. Resaving both files in ANSI format solved the problem.
Solution 3
You need re-encrypt the ssh key file with the -m PEM
option.
ssh-keygen -p -f keyfile -m PEM
.
Detail:
This issue is caused by the some version of ssh-keygen generated encrypted file format which is not openssl wanted.
I had same issue when I used ssh-keygen -p -f keyfile
to encrypt the key file, the result will be like
-----BEGIN OPENSSH PRIVATE KEY-----
then I encountered this issue: openssl rsa < keyfile
does not work with same error as the questioner.
The other day I happened find that another encrypted key file was like
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,xxxxxxxxx..
and this file could be decrypted by openssl rsa < keyfile
.
It turns out that different ssh-keygen
generates different encrypted format, and need respective openssl version to decrypt.
It seems for modern openssl (mine is 1+), it need the latter format.
So I ended up with following solution: re-encrypt the ssh key file with the -m PEM
option.
ssh-keygen -p -f keyfile -m PEM
then enter for old password and new password.
The -m PEM
option will generate
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,xxxxxxxxx..
Then I can use the openssl rsa < keyfile
to decrypt the file later.
(Of course if you enter empty password in the above ssh-keygen command, you will also get decrypted result, but that is probably not what you want because you don't want save a decrypted key file on disk).
Solution 4
My two cents: came across the same error message in RHEL7.3 while running the openssl command with root CA certificate. The reason being, while downloading the certificate from AD server, Encoding was selected as DER instead of Base64. Once the proper version of encoding was selected for the new certificate download, error was resolved
Hope this helps for new users :-)
Solution 5
On my execution of openssl pkcs12 -export -out cacert.pkcs12 -in testca/cacert.pem
, I received the following message:
unable to load private key 140707250050712:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:701:Expecting: ANY PRIVATE KEY`
Got this solved by providing the key file along with the command. The switch is -inkey inkeyfile.pem
helado
Updated on November 13, 2021Comments
-
helado over 2 years
I have a .key file, when I do
openssl rsa -text -in file.key
I get
unable to load Private Key 140000419358368:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:703:Expecting: ANY PRIVATE KEY
Also I have a .cer file and when I do
openssl x509 -text -in file.cer
I get
unable to load certificate 140387178489504:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:703:Expecting: TRUSTED CERTIFICATE
But if as pointed here I run the command like:
openssl x509 -text -inform DER -in file.cer
I get
Certificate: Data: Version: 3 (0x2) Some more information ... -----BEGIN CERTIFICATE----- MIIEdDCCA1ygAwIBAgIUMjAwMDEwMDAwMDAxMDAwMDU4NjcwDQYJKoZIhvcNAQEF ... -----END CERTIFICATE-----
But that doesn't seem to work with the key, because when I run
openssl rsa -text -inform DER -in aaa010101aaa__csd_10.key
I get
unable to load Private Key 140004844304032:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1337: 140004844304032:error:0D06C03A:asn1 encoding routines:ASN1_D2I_EX_PRIMITIVE:nested asn1 error:tasn_dec.c:849: 140004844304032:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:769:Field=version, Type=RSA 140004844304032:error:04093004:rsa routines:OLD_RSA_PRIV_DECODE:RSA lib:rsa_ameth.c:115: 140004844304032:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1337: 140004844304032:error:0D06C03A:asn1 encoding routines:ASN1_D2I_EX_PRIMITIVE:nested asn1 error:tasn_dec.c:849: 140004844304032:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:769:Field=version, Type=PKCS8_PRIV_KEY_INFO
How can I get the private key and its certificate?
-
larsks almost 9 yearsYou're going to have to show us what the private key file looks like, otherwise we're just guessing.
-
helado almost 9 yearsOk, but its in binary, how can I show you the contents of the key? I tried with vi in binary mode (vi -b) but shows an almost unreadable output
-
larsks almost 9 yearsSee my update first. If your private key really is something you can share with us (in which case it's not really "private" anymore), you could generate a hex dump using
od -x
. If you want to keep it private, you're probably going to need to contact the source of the key for more information. -
Tobias about 5 yearsSame here. I tried so much things like changing permissins, paths and headline - but didn't think about encoding ...
-
Robert Lujo about 5 yearsThanks, this helped! For conversion I used this command: iconv -f utf-8 -t ascii -c server.key > server.key2
-
Dan Nissenbaum about 5 yearsF*&&% &*^%. That ate through a few precious hours. No discussion of this anywhere. Indeed, the private key file I downloaded from GoDaddy included the byte-order mark (BOM), causing expressjs.https to fail to load the private key.
-
a2f0 almost 5 years
iconv -c -f UTF8 -t ASCII cert.key > cert2.key
to convert -
Saites over 4 yearsSmall correction to @dps - the input format should be
-f UTF-8
instead of-f UTF8
. -
a2f0 over 4 years@Saites it looks to me like UTF8 and UTF-8 are interchangeable, try
iconv --list | grep UTF
-
Saites over 4 years@dps I probably just have an old version.
iconv --version
showsiconv (GNU libiconv 1.14)
.iconv --list | grep UTF
only shows names with-
s in them. This command:echo "hello" | iconv -f UTF8
fails with error:iconv: conversion from UTF8 unsupported
, but this works:echo "hello" | iconv -f UTF-8
-
WeisserHund over 3 yearsDING DING - this was the solution for me -