Trying to create a password-protected PFX file results in openssl error: "

0
votes

Background

  • We have MS Azure cloud hosting
  • Purchased a wildcard SSL certificate for my domain from a 3rd party (not Microsoft)
  • Created a CSR file + private key file
  • Used these & have been issued x509 and PKCS7 certs from SSL issuer
  • Azure requires a PFX file, so have been attempting to follow the ssl.com tutorial here: https://www.ssl.com/how-to/create-a-pfx-p12-certificate-file-using-openssl/

Issue

Running the openssl command in terminal on my local machine (breaks inserted for readability)

openssl pkcs12 -export -out certificate.pfx -password pass:somepassword
-inkey domain.key -in certificate.crt

I receive the following error:

140735704675208:error:0906D06C:PEM routines:PEM_read_bio:no start line
:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-22/libressl/crypto/pem/pem_lib.c:704:
Expecting: ANY PRIVATE KEY

But I've supplied the key? I'm confused. I'm an SSL beginner when it comes to Azure. What am I doing wrong?

Note, I included the -password parameter because MS Azure expects PFX files to be password protected. This is not optional: they HAVE to be protected.

EDIT

Having regenerated a CSR & Key using Openssl, I get a new error that the key file isn't valid. To ensure I'm not missing something obvious:

  • What do I do with the X509?
  • What do I do with the PKCS7?
1
azuresslopenssl
I have just typed your command in my own comodo certs and it worked. Pleas check the pem files (the key with openssl rsa -in domain.key -check, and modulus from crt and key should match openssl x509 -noout -modulus -in certificate.crt | openssl md5 and, for the key openssl rsa -noout -modulus -in domain.key | openssl md5)J.M. Robles
Thank you @J.M.Robles - I followed those steps: openssl rsa -in domain.key -check results in unable to load Private Key 140735704675208:error:0906D06C:PEM routines:PEM_read_bio:no start line:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-22/libressl/crypto/pem/pem_lib.c:704:Expecting: ANY PRIVATE KEYGeorge R
Well, there are problems with your domain.key file. Please, edit it to check if it is a good pem file and, if so, if the key is encrypted or not (first line). Mine is not encrypted (-----BEGIN PRIVATE KEY-----).J.M. Robles
@J.M.Robles - my .key file starts/ends with -----BEGIN PRIVATE KEY----- / -----END PRIVATE KEY----- Should it not?George R
Encrypted keys begin with -----BEGIN ENCRYPTED PRIVATE KEY-----. Your file is not (neither mine). Please test if lines end with \r\n (in my file they ends with \n) and try using other implementation of openssl (other OS).J.M. Robles

1 Answers

0
votes

Got bored messing about with openssl and terminal so found a GUI to do it. Steps:

This generates a password protected PFX which can then be uploaded to Azure.