[openssl-users] Signing a CSR with x509 that is in DER format gives PEM read error
hawk at kmpc.net
Sun Jun 19 19:01:01 UTC 2016
Real new to openssl as my product has just added a feature to upload
certs for https access which I need to test.
I have been using the tools to create the different types of certs that
I want to test our feature with and have had good success after a few
One of the invalid tests I want to try is upload a signed cert in DER
format. So going full bore I tried this:
* generate rsa key in PEM format with genrsa
* convert key to DER with rsa
* create the CSR in DER format with req
All of these I checked are in DER format as they can only be parsed if I
use the '-inform DER' option for their respective cmds.
But trying to sign the CSR I get an error like x509 is trying to read a
139782416189088:error:0906D06C:PEM routines:PEM_read_bio:no start
line:pem_lib.c:703:Expecting: CERTIFICATE REQUEST
I am using the option to tell x509 the CSR and the signing key is in DER
format but it seems to not have any affect for the CSR. If I change the
cmds so the CSR is in PEM format the x509 signing works with the DER key.
On the other hand, as expected, if I just create a self-signed PEM
format cert I can use x509 to convert it to DER format. But I wanted to
understand if I am seeing a bug or if my understanding is incorrect.
Here are the req and x509 cmds from my bash script that I am using:
openssl req -config $CONF -new -keyform DER -key
$MISC/der_format_der.key -outform DER -out $MISC/der_format.csr
openssl x509 -req -in $MISC/der_format.csr -out $MISC/der_format.crt
-inform DER -outform DER \
-signkey $MISC/der_format_der.key -keyform DER -days 365
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the openssl-users