4562605504:error:0909006C:PEM routines:get_name:no start line:crypto/pem/pem_lib.c:745:Expecting: TRUSTED CERTIFICATE

SoftTimur asked:

The certificate of my website just expired, and I bought a new (free) one from AliCloud, downloaded one server.pem file and one server.key file.

Then, I use openssl x509 -outform der -in server.pem -out server.crt to create the server.crt file. Then openssl x509 -noout -text -in server.crt returned me an error:

unable to load certificate
4562605504:error:0909006C:PEM routines:get_name:no start line:crypto/pem/pem_lib.c:745:Expecting: TRUSTED CERTIFICATE

I also tried server.crt in production, it just did not work.

Does anyone know how to properly generate .crt file?

My answer:


Likely you shouldn’t be generating anything with these openssl commands but instead should be using the server.pem file exactly as you received it.

Open the file in a text editor. If the first line of this file is:

-----BEGIN CERTIFICATE-----

Then you use it unchanged. The only thing you might need to do to it is to append any intermediate certificates, depending on your web server.


View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.