When working with SSL certificates, you might encounter the frustrating error:
4562605504:error:0909006C:PEM routines:get_name:no start line:crypto/pem/pem_lib.c:745:Expecting: TRUSTED CERTIFICATE
This typically occurs when OpenSSL can't properly parse your certificate file due to incorrect formatting or file type.
The main reasons for this error include:
- The PEM file doesn't contain proper BEGIN/END certificate markers
- The file is actually in DER format but being read as PEM
- Hidden characters or encoding issues in the file
- The file contains multiple certificates in wrong order
Here's the correct way to handle certificate conversion:
# First verify the PEM file
openssl x509 -in server.pem -text -noout
# Convert PEM to CRT (if needed)
openssl x509 -outform pem -in server.pem -out server.crt
# For concatenated certificates (chain)
cat server.pem intermediate.pem root.pem > fullchain.pem
Case 1: Basic PEM to CRT conversion
# Ensure proper headers/footers
-----BEGIN CERTIFICATE-----
[base64 content]
-----END CERTIFICATE-----
Case 2: Handling certificate chains
# Proper certificate chain order:
1. Your domain certificate
2. Intermediate CA
3. Root CA
# Verify chain
openssl verify -untrusted intermediate.pem server.pem
- Use
file server.pemto check file type - Try
openssl x509 -inform der -in server.pem -out server.crtif file is DER format - Check for hidden BOM characters with
cat -v server.pem - Ensure no extra whitespace at file beginning
For Nginx configuration:
server {
listen 443 ssl;
ssl_certificate /path/to/fullchain.pem;
ssl_certificate_key /path/to/server.key;
# Other configurations...
}
For Apache:
SSLCertificateFile /path/to/server.crt
SSLCertificateKeyFile /path/to/server.key
SSLCertificateChainFile /path/to/intermediate.crt
When working with SSL/TLS certificates from AliCloud, you might encounter this specific OpenSSL error during certificate conversion:
4562605504:error:0909006C:PEM routines:get_name:no start line:crypto/pem/pem_lib.c:745:Expecting: TRUSTED CERTIFICATE
This typically occurs when OpenSSL can't properly parse the PEM file structure. Let's examine why this happens with AliCloud certificates.
AliCloud's free SSL certificates often come in a non-standard PEM format. Here's what a proper PEM file should look like:
-----BEGIN CERTIFICATE-----
MIIFazCCBFOgAwIBAgIQA...
-----END CERTIFICATE-----
But sometimes AliCloud provides files that might:
- Have incorrect line endings
- Missing BEGIN/END markers
- Contain extra metadata
Here's the correct way to convert AliCloud's certificate to CRT format:
# First verify the PEM file structure
cat server.pem
# If needed, reformat the PEM file
sed -i -e 's/\r$//' -e '/^$/d' server.pem
# Then convert to DER format
openssl x509 -outform der -in server.pem -out server.crt
# Verify the certificate
openssl x509 -noout -text -in server.crt
If the above doesn't work, try these approaches:
Method 1: Explicitly specify PEM format
openssl x509 -inform pem -outform der -in server.pem -out server.crt
Method 2: Convert to PEM first (if file is in different format)
openssl x509 -in server.pem -out temp.pem -outform pem
openssl x509 -outform der -in temp.pem -out server.crt
For web servers, you might not need CRT format at all. Most servers accept PEM directly:
# Nginx example
ssl_certificate /path/to/server.pem;
ssl_certificate_key /path/to/server.key;
Remember to restart your web server after updating certificates:
sudo systemctl restart nginx
# or
sudo systemctl restart apache2
If you're still having issues:
- Check file permissions (key files should be 400)
- Verify the certificate chain is complete
- Test with OpenSSL s_client:
openssl s_client -connect yourdomain:443 -showcerts - Ensure the system time is correct (certificates are time-sensitive)