[openssl-users] Signing a CSR with x509 that is in DER format gives PEM read error

Paul Hawkins hawk at kmpc.net
Sun Jun 19 19:01:01 UTC 2016

Real new to openssl as my product has just added a feature to upload 
certs for https access which I need to test.

I have been using the tools to create the different types of certs that 
I want to test our feature with and have had good success after a few 

One of the invalid tests I want to try is upload a signed cert in DER 
format.  So going full bore I tried this:

  * generate rsa key in PEM format with genrsa
  * convert key to DER with rsa
  * create the CSR in DER format with req

All of these I checked are in DER format as they can only be parsed if I 
use the '-inform DER' option for their respective cmds.

But trying to sign the CSR I get an error like x509 is trying to read a 

139782416189088:error:0906D06C:PEM routines:PEM_read_bio:no start 
line:pem_lib.c:703:Expecting: CERTIFICATE REQUEST

I am using the option to tell x509 the CSR and the signing key is in DER 
format but it seems to not have any affect for the CSR.  If I change the 
cmds so the CSR is in PEM format the x509 signing works with the DER key.

On the other hand, as expected, if I just create a self-signed PEM 
format cert I can use x509 to convert it to DER format.  But I wanted to 
understand if I am seeing a bug or if my understanding is incorrect.

Here are the req and x509 cmds from my bash script that I am using:

openssl req -config $CONF -new -keyform DER -key 
$MISC/der_format_der.key -outform DER -out $MISC/der_format.csr

openssl x509 -req -in $MISC/der_format.csr -out $MISC/der_format.crt 
-inform DER -outform DER \
              -signkey $MISC/der_format_der.key -keyform DER -days 365 
-set_serial 14

Paul Hawkins

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20160619/8ad3c5dc/attachment.html>

More information about the openssl-users mailing list