OpenSSL: PEM routines:PEM_read_bio:no start line:pem_lib.c:703:Expecting: TRUSTED CERTIFICATE

I need a hash-name for file for posting in Stunnel's CApath directory. I have got some certs in this directory and they are working well. Also, I have a server sert and server key:

cert = c:\Program Files (x86)\stunnel\server_cert.pem 
key = c:\Program> Files (x86)\stunnel\private\server_key.pem

When I try to calculate a hash of my new cert, I get an error:

/etc/pki/tls/misc/c_hash cert.pem

unable to load certificate 140603809879880:error:0906D06C:PEM
routines:PEM_read_bio:no start line:pem_lib.c:703:Expecting: TRUSTED CERTIFICATE

As I understand I must sign my cert, but I don't understand how I can do that. Please, provide the solution.

P.S.:

The message

unable to load certificate 140603809879880:error:0906D06C:PEM
routines:PEM_read_bio:no start line:pem_lib.c:703:Expecting: TRUSTED CERTIFICATE:

posted when I made c_hash for cert.pem This is not server_cert.pem, this is Root_CA and it is content something like

-----BEGIN CERTIFICATE-----  
...6UXBNSDVg5rSx60=.. 

-----END CERTIFICATE-----

When I write

openssl x509 -noout -text -in cert.pem

In console panel I see this info:

    Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=BE, ST=BB, L=BB, O=BANKSYS NV, OU=SCY, CN=TEST Root CA
        Validity
            Not Before: May 31 08:06:40 2005 GMT
            Not After : May 31 08:06:40 2020 GMT
        Subject: C=BE, ST=BB, L=BB, O=BB NV, OU=SCY, CN=TEST Root CA
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:82:c8:58:1e:e5:7a:b2:63:a6:15:bd:f9:bb:1f:
............
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Key Usage: critical
                Certificate Sign, CRL Sign
            X509v3 Subject Key Identifier:
                76:70:AB:92:9B:B1:26:CE:9E:93:D8:77:4F:78:0D:B8:D4:6C:DA:C6
    Signature Algorithm: sha1WithRSAEncryption
         2c:7e:bd:3f:da:48:a4:df:8d:7c:96:58:f7:87:bd:e7:16:24:
...............

Try to run this openssl x509 -hash -noout -in it does hash extraction, see if it helps?

that's useful. Thanks. But in STunnel log I see the error SSL_accept: 14094418: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket when I try ro make connection

That means something else altogether, it means that both sides are not using the same ca for their CA certificate

Thanks, openssl x509 -text -inform DER -in server_cert.pem converted my p7b encoded(?) certificate to something usable.

My problem wasn't CRLF line endings as described here, but this suggestion was enough to get me on track. My problem was the my file was saved double-byte Unicode with a BOM, and openssl for windows couldn't deal with that. I resaved as ascii and it worked.

Thanks @ElroyFlynn, that was my problem too — openssl on Linux has the same trouble if there's a BOM at the beginning of the file.

+1. In my case, the problem (once I looked carefully) was that I actually had a certificate request (-----BEGIN CERTIFICATE REQUEST-----) rather than a certificate (-----BEGIN CERTIFICATE-----). I was able to inspect it by using openssl req ... rather than openssl x509 ....

M kinda noob, pls suggest me..How to edit this file in mac

I had a similar error. Inverting the order worked for me.

My keys came in seperate files I needed to create a new file: cat $SOURCE/privkey.pem $SOURCE/fullchain.pem > server.pem

Yes! This worked for me. Note PEM certificates exported from Apple's Keychain utility don't have the BOM and this upsets some programs.

For anyone else who has this error, my problem was that I was running the command to convert .p7b to .cer as openssl pkcs7 -in pkcs7.p7b -print_certs > pem.cer, the solution was to use -out instead of >, so openssl pkcs7 -in pkcs7.p7b -print_certs -out pem.cer

at least i am not the only one who made this mistake... i am surprised the module does not alert us to this.

this took me hours to work out. All starting with a cryptic error from xmlsec1, key is not found

No need for -text parameter