Unable to load Private Key. (PEM routines:PEM_read_bio:no start line:pem_lib.c:648:Expecting: ANY PRIVATE KEY) [closed]

105
votes

I have a .key file which is PEM formatted private key file. I didn't make this file but I got this from somewhere.

I wanted to see its MD5 hash with openssl tool like below command.

openssl rsa -in server.key -modulus -noout

But this generates below error.

unable to load Private Key
13440:error:0906D06C:PEM routines:PEM_read_bio:no start line:.\crypto\pem\pem_lib.c:648:Expecting: ANY PRIVATE KEY

Here's some asn1parse of the .key file.

openssl asn1parse -in server.key
0:d=0  hl=4 l= 603 cons: SEQUENCE
4:d=1  hl=2 l=   1 prim: INTEGER           :00
7:d=1  hl=3 l= 129 prim: INTEGER           :C141201603899993919CBAA56985E9C7
C6A2AF713A02F5FE88D38CEFBED9304599689280B84B0AB577A9719CA20DDA1246A894AF397A2C57
EE5A582B036CC367E3667454DCD82DBDBF187C35FE39F61C71B517DDDF576F5471B4EC2E045E0F9D
619F5616C4E832F00CBD0DBF41B4BA3CBC4B4B603AE1FE61965917DA732E0DEF
139:d=1  hl=2 l=   3 prim: INTEGER           :010001
144:d=1  hl=3 l= 128 prim: INTEGER           :1687B9AE67562CEDEBDD7A531B84CDB7
093CE138519B93C34B7F626076FF0A262B16EA71904ACB6251A39307C04ADE202055BA13DD9F1539
6123EE408183361A9BC08B9413FA360EA928E48CC3F52B33ACF2980758F02BA2139F652F30A257C2
2E45D7C25835FC4D22B9ECECC12AB632318D4F47E1EBDAD9781B96BCFF03A2D1

 ...

Is there anything more I can try?

15
opensslprivate-key
What is the exact header/footer of the PEM file? You can get this error if you are sending in a public key. Also, the command you listed will not give the MD5 hash. It will give the modulus of the key.gtrig
I had used scp to copy the file from Windows to Ubuntu. To fix it, I deleted the file on Ubuntu, created a new empty file there, and used vim and then pasted in the correct contents.Ryan

15 Answers

90
votes

Open the key file in Notepad++ and verify the encoding. If it says UTF-8-BOM then change it to UTF-8. Save the file and try again.

60
votes

I changed the header and footer of the PEM file to 

-----BEGIN RSA PRIVATE KEY-----

and

-----END RSA PRIVATE KEY-----

Finally, it works!

40
votes

Your .key file contains illegal characters. You can check .key file like this:

# file server.key

output "server.key: UTF-8 Unicode (with BOM) text" means it is a plain text, not a key file. The correct output should be "server.key: PEM RSA private key".

Use below command to remove illegal characters:

# tail -c +4 server.key > new_server.key

The new_server.key should be correct.

For more detail, you can click here

8
votes

Create CA certificate

openssl genrsa -out privateKey.pem 4096
openssl req -new -x509 -nodes -days 3600 -key privateKey.pem -out caKey.pem
7
votes
> I have a .key file which is PEM formatted private key file.
> ...
> Here's some asn1parse of the .key file...

That it appears OK with asn1parse leads me to believe its not PEM encoded.

Is there anything more I can try?

Because it appears to be ASN.1, try:

$ openssl rsa -in server.key -inform DER -modulus -noout

Notice the -inform DER to switch between encodings.

5
votes

Resolution on my side. Change Encoding to UTF8 without BOM

4
votes

Remove any whitespace at the start of the .key file.

2
votes

I'm on Windows 10 and I saved my key with Windows1252 encoding and it worked for me. On another Stack Overflow question some people were fixing this with UTF-8 with BOM.

In other words, it may be the file encoding.

1
votes

May be the private key itself is not present in the file.I was also faced the same issue but the problem is that there is no private key present in the file.

0
votes

This could happen if you are trying to use your public key to create certificate instead of your private key. You should use private key

0
votes

I received RTF files for private and public keys for SSL certificate HTTPCS. the way which works for me to make .pfx with password is: convert rtf private key file(privateKey.rtf) (with free online converter) to plain text format: privateKey.txt (don't copy/paste text from -----BEGIN PRIVATE KEY----- to -----END PRIVATE KEY----- to a new text file, it doesn't work) open converted plain text file in Nodepad++ and change encoding to UTF-8 instead of UTF-8 BOM and change extension to .key. Save it run Openssl console in certificate folder:

pkcs12 -export -out C:\Users\user\Documents\CertFolder\Cert.pfx -inkey C:\Users\user\Documents\CertFolder\privateKey.key -in C:\Users\user\Documents\CertFolder\certificate.crt

openssl will ask password, create your own password for your certificate and then you have your .pfx to be use in IIS setting, SOAPUI, MMC,.. Good luck

-1
votes

Had same issue today, and noticed that this occurs when owner/group of file is not the one running app that reads key. Maybe is your issue too.

-1
votes

None of the other answers seemed correct in my case, however I found the real answer here

My id_rsa file was already in PEM format, I just needed to add the .pem extension to the filename.

Thanks to

The possible options to the openssl rsa -inform parameter are one of: PEM DER

A PEM encoded file is a plain-text encoding that looks something like:

-----BEGIN RSA PRIVATE KEY-----
MIGrAgEAAiEA0tlSKz5Iauj6ud3helAf5GguXeLUeFFTgHrpC3b2O20CAwEAAQIh
ALeEtAIzebCkC+bO+rwNFVORb0bA9xN2n5dyTw/Ba285AhEA9FFDtx4VAxMVB2GU
QfJ/2wIRANzuXKda/nRXIyRw1ArE2FcCECYhGKRXeYgFTl7ch7rTEckCEQDTMShw
8pL7M7DsTM7l3HXRAhAhIMYKQawc+Y7MNE4kQWYe
-----END RSA PRIVATE KEY-----

While DER is a binary encoding format.

-1
votes

In our case what caused the issue is that the private key we were trying to use was encrypted with a passphrase.

We had to decrypt the private key using ssh-keygen -p before we could use the private key with the openssl command line tool.

-3
votes

If your certificate is from godaddy you just need to change the encoding from UTF-8 (BOM) to UTF 8 and rename the file as private.key.