Expecting: TRUSTED CERTIFICATE while converting pem to crt

  • I am trying to generate a private-public key pair and convert the public key into a certificate which can be added into my truststore.

    To generate private & public key: openssl rsa -in private.pem -outform PEM -pubout -out public_key.pem

    Now I am trying to convert this to a certificate:

    openssl x509 -outform der -in  public_key.pem -out  public.cer 

    But I get an error:

    7962:error:0906D06C:PEM routines:PEM_read_bio:no start line:/BuildRoot/Library/Caches/com.apple.xbs/Sources/OpenSSL098/OpenSSL098-64.30.2/src/crypto/pem/pem_lib.c:648:Expecting: TRUSTED CERTIFICATE

    All tutorials show that I have to convert pem to crt before adding to a truststore.

  • You cannot "convert" a public key to a certificate. A certificate includes the public key but it includes also more information like the subject, the issuer, when the certificate is valid etc. And a certificate is signed by the issuer. Thus what you would need instead is to create a certificate signing request (CSR) which includes the public key but also includes all the additional information. This CSR then needs to be signed by a certificate authority (CA) which then results in the certificate.

    For creating a simple self-signed certificate which is not trusted by any browser see How to create a self-signed certificate with openssl?.

    So in this example: openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 key.pem will contain both private and public key?

    @user1692342: I'm not sure how the question in the comment relates to the original question. But: key.pem is the private key which includes the public key and the public key is also included in cert.pem.

License under CC-BY-SA with attribution

Content dated before 7/24/2021 11:53 AM